RSS output

HarryRag	#6478 2009-02-03 09:15
Members	Just have been testing a bit with RSS feeds. And I see some serious private security options as I see no options in the adminpanel to block certain groups out of certain areas. Will explain it in a case. Site moderator with acces to a private forum not accesable for everyone, including standard members, leaves the ship, or other options * other option providing link to the RSS feed of that private section to a third_party. As soon as a forum/board user or a third-party (not logged in or even registerd) who normally wouldn't have acces to those private forums gets a hold of the RSS feed link to that particual private forums/topic (topic mostly) with: rss.php?c=topics&id=XX Then they can keep hold of the stuff posted in that topic via the RSS feeds page, not able to login via the feeds, but they can see the feeds and the last posts made. Tested this with IE8 RC1, FF305 and Opera 9.63 on my own rig with only Opera logged in, and with 2 laptops not having the login specs to my site and providing them a link to a private topic RSS-feed. All cases i was able to fully read those private articles. So with guessing* of topic id's a whole site coud be read out, including images and all stuff that should stay private. That makes the RSS-feeds a bit dangerous to use for me on the board. The big question for me is: Can the Forums part of the RSS feeds be ripped out the rss.php and then still keep running for pages, articles and news? Regards, HarryRag [uptdate] After removing the topics id part of rss i couldn't manage to do so. Might done some strange, but this is what i ran into. [/update] [center][url=<a href="">http://www.true-gamers.nl]True</a> & Honest Gamers[/url][/center]
This post was edited by HarryRag (2009-02-03 09:45, 15 years ago)

HarryRag

#6478 2009-02-03 09:15

Just have been testing a bit with RSS feeds.
And I see some serious private security options as I see no options in the adminpanel to block certain groups out of certain areas.

Will explain it in a case.

Site moderator with acces to a private forum not accesable for everyone, including standard members, leaves the ship, or other options *

*other option providing link to the RSS feed of that private section to a third_party.

As soon as a forum/board user or a third-party (not logged in or even registerd) who normally wouldn't have acces to those private forums gets a hold of the RSS feed link to that particual private forums/topic (topic mostly) with:
rss.php?c=topics&id=XX

Then they can keep hold of the stuff posted in that topic via the RSS feeds page, not able to login via the feeds, but they can see the feeds and the last posts made.

Tested this with IE8 RC1, FF305 and Opera 9.63 on my own rig with only Opera logged in, and with 2 laptops not having the login specs to my site and providing them a link to a private topic RSS-feed.
All cases i was able to fully read those private articles.

So with guessing of topic id's a whole site coud be read out, including images and all stuff that should stay private.
That makes the RSS-feeds a bit dangerous to use for me on the board.

The big question for me is:
Can the Forums part of the RSS feeds be ripped out the rss.php and then still keep running for pages, articles and news?

Regards,
HarryRag

[uptdate]
After removing the topics id part of rss i couldn't manage to do so.
Might done some strange, but this is what i ran into.
[/update]

[center][url=<a href="">http://www.true-gamers.nl]True</a> & Honest Gamers[/url][/center]

This post was edited by HarryRag (2009-02-03 09:45, 15 years ago)