FURL - IPS intends to fix this?

[*José Antonio]

I posted this once on the tracker: http://community.inv...itle-of-topics/

I tested here and saw that has not been fixed. So the question is, intend to fix it? I can not enable this because a member is discovering titles of topics restricted to my team of moderators.

An alternative would be to have a setting to exclude certain forums from the use of FURL, team forums, for example.

Of course this is just a suggestion. I do not use FURL some time, but would like to have them back if this it was solved.

Sorry my bad english

Tks!

[Rhett]

The best place for the info is on that tracker.... it was mentioned by brandon that it's working as intended.

[*José Antonio]

The best place for the info is on that tracker.... it was mentioned by brandon that it's working as intended.

Precisely why I posted here. I think that might work better without this "error" that I mentioned in the tracker, because it is unpleasant other members discover topic title in protected forums. I do not use FURL now, but I intend to re-use them.

[*José Antonio]

No workaround? Something like the "findpost" redirect to ulr of topic as "showtopic" rather than their "Friendly URL." Thus they avoid the topic title was discovered by people who can not see it, right?

Sorry my bad english.

Tks!

[Lucas Fernando]

The Headings of restricted topics do not have to be discovered by members, because otherwise, are no longer restricted, certain?
As suggested, must have an option where it could select fóruns that they would use "Friendly URL"


Sorry my bad english. [2]

[*José Antonio]

Hello, I'm sorry for reviving the topic, but now that the IPS is asking for suggestions for improvements in IPB 3.3, implement this would be a good, no?

[Brett L]

You are misunderstanding what is being said. This is not an issue, this is how they want it.

Friendly URLs like this are much better for google which is what most clients want.

[Intasar]

Its amazing to read the tracker issue from him,

His answer is in his question.

José Antonio can you tell me that how to "revealed" team section topic ID or post ID to unauthorized users ? even they can't access to the team area ?

Are you trying to say, some one unauthorized user Gues the "Team section" topic IDs or Posts ? :twitch:

[*José Antonio]

Its amazing to read the tracker issue from him,

His answer is in his question.

José Antonio can you tell me that how to "revealed" team section topic ID or post ID to unauthorized users ? even they can't access to the team area ?

Are you trying to say, some one unauthorized user Gues the "Team section" topic IDs or Posts ? :twitch:

Hi, I'll try to explain in a simpler way.

For example, imagine you have a sub-forum that only moderators can see.

And this forum has a topic with the following title: "Invision Power Brasil".

Imagine that you post on this topic and your post ID is 2050

If any user accessing the following URL: "http://yoursite.com/index.php?app=forums&module=forums&section=findpost&pid=2050"

He is redirecting by IPB to the following URL: "http://yoursite.com/index.php/topic/411-invision-power-brasil/page__p__2050 #entry2050"

After being redirected and the title topic revealed that the IPB shows the message of lack of permission to view the topic.

This happens with guests and users of any group.

Excuse my bad English.

[Cyrem]

Hi, I'll try to explain in a simpler way.

For example, imagine you have a sub-forum that only moderators can see.

And this forum has a topic with the following title: "[color=#008000]Invision Power Brasil[/color][color=#008000]".[/color]

Imagine that you post on this topic and your post ID is [color=#FF0000]2050[/color]

He is redirecting by IPB to the following URL: "http://yoursite.com/index.php/topic/411-[color=#008000]inv[/color][color=#008000]ision-power-brasil[/color]/page__p__2050 #entry2050"

After being redirected and the title topic revealed that the IPB shows the message of lack of permission to view the topic.

This happens with guests and users of any group.

Excuse my bad English.

I don't see the problem.... Thats how it works.

[Marcher Technologies]

....I'm confused enough about what you expect as the behaviour to post now...
The topic title being in the FURL is a security risk? :logik:
Its not as if IPB itself is allowing the user to see the content in any way shape or form...
It really is not a bug IMO, and would require a complete rewrite of how the core handles FURL's(it is an on-off switch, not a precise choice by content)... not something I would foresee being put in 3.3 regardless this far into it.

[PKIDelirium]

If you're concerned about it, just don't use topic titles in your staff forums that contain anything you don't want known by members.

Hell, most of my staff forum topics are titled mundane stuff like "lol", "fail", "upcoming updates", etc.

[Marcher Technologies]

If you're concerned about it, just don't use topic titles in your staff forums that contain anything you don't want known by members.

Hell, most of my staff forum topics are titled mundane stuff like "lol", "fail", "upcoming updates", etc.

:laugh: All I kept thinking was why do you put such revealing information in a topic title anyway?
The same effect would occur if you let users see a topic listing, but not the actual topics.

[*José Antonio]

I don't see the problem.... Thats how it works.

Yes, yes, but work better if the permissions of the topic were checked before and not after of redirect, so the title would not be exposed to anyone.

....I'm confused enough about what you expect as the behaviour to post now...

The topic title being in the FURL is a security risk? :logik:

Its not as if IPB itself is allowing the user to see the content in any way shape or form...

It really is not a bug IMO, and would require a complete rewrite of how the core handles FURL's(it is an on-off switch, not a precise choice by content)... not something I would foresee being put in 3.3 regardless this far into it.

This isn't a security risk. But it's nothing nice to know that other members are getting to see topic title restricted to moderators.

If you're concerned about it, just don't use topic titles in your staff forums that contain anything you don't want known by members.

Hell, most of my staff forum topics are titled mundane stuff like "lol", "fail", "upcoming updates", etc.

hehe

It is still a good idea, but gets very disorganized rs :laugh:

[Heyhoe]

I can see what you are getting at, but like people have suggested, just name your titles carefully.

[Intasar]

Hi, I'll try to explain in a simpler way.

For example, imagine you have a sub-forum that only moderators can see.

And this forum has a topic with the following title: "[color=#008000]Invision Power Brasil[/color][color=#008000]".[/color]

Imagine that you post on this topic and your post ID is [color=#FF0000]2050[/color]

He is redirecting by IPB to the following URL: "http://yoursite.com/index.php/topic/411-[color=#008000]inv[/color][color=#008000]ision-power-brasil[/color]/page__p__2050 #entry2050"

After being redirected and the title topic revealed that the IPB shows the message of lack of permission to view the topic.

This happens with guests and users of any group.

Excuse my bad English.

I Understand, what is your "POINT". but just define me this. "How could it possible that some one Gues the "corect" ID of posts and topic ID from your "Moderating area" ?

Suppose, I M Guest, and i m register on your forum. in your forum have "Moderating forum" and when i click and try to access to the forum so i get "Permission Denied" message on screen. Thats it. but "How can it possible that i start Guessing your forum topic IDs and Posts ? even i don't have idea that how many posts and topics made in your forums ? and from where i start searching to your "Moderating posts" ?


you said:

"And this forum has a topic with the following title: "[color=#008000]Invision Power Brasil[/color][color=#008000]".[/color]

Imagine that you post on this topic and your post ID is [color=#FF0000]2050[/color]

Ok, i imagine that my topic is title: "Invision Power Brasil". and my post ID is 2050. i imagine this because i m Moderator right ? and i posted this topic in Secure area. so its not possible that this Post ID is leaked in anyway. so how could it possible that someone directly Gone to this URL "http://yoursite.com/index.php/topic/411-invision-power-brasil/page__p__2050 #entry2050" ?????

Only team and staff person knows the IDs, so its not possible in anyway that unauthorize user start guessing the correct IDs.

[*José Antonio]

I Understand, what is your "POINT". but just define me this. "How could it possible that some one Gues the "corect" ID of posts and topic ID from your "Moderating area" ?

Suppose, I M Guest, and i m register on your forum. in your forum have "Moderating forum" and when i click and try to access to the forum so i get "Permission Denied" message on screen. Thats it. but "How can it possible that i start Guessing your forum topic IDs and Posts ? even i don't have idea that how many posts and topics made in your forums ? and from where i start searching to your "Moderating posts" ?

Ok, i imagine that my topic is title: "[color=#008000]Invision Power Brasil[/color][color=#008000]". and my [/color]post ID is [color=#FF0000]2050.[/color] i imagine this because i m Moderator right ? and i posted this topic in Secure area. so its not possible that this Post ID is leaked in anyway. so how could it possible that someone directly Gone to this URL "http://yoursite.com/index.php/topic/411-[color=#008000]inv[/color][color=#008000]ision-power-brasil[/color]/page__p__2050 #entry2050" ?????

Only team and staff person knows the IDs, so its not possible in anyway that unauthorize user start guessing the correct IDs.

But just look in post more recent of forum, since the ID's of posts are always in ascending order. For example, the last post of forum has the ID 2000. The user will add in URL of "findpost" the numbers 1999, 1998, 1997, 1996 and so on until find something.

I say this because I've seen some members of my forum doing it.

Is not exactly a problem with the FURL's but with the "findpost", since this function redirects before checking permissions.

Sorry my bad english

[Fast Lane!]

It could be an issue, in my mind. If in my moderator forum we have a topic labeled, "XYZ users complaint about ABC user stalking them"... the expectation is this topic is private, but if the topic title can be seen by members without permissions this would be a bad thing. The work around in my mind is to either notify people that this is possible and to not post sensitive info in topic titles (IPB would need to announce this or put in the product docs) or when redirecting do a permission check on the forum_id that the topic is in before doing the rewrite.

[Fast Lane!]

You can also do it with topics too which seems much faster because searching by posts results in listing many topics and over over (multiple posts per topic):

http://community.invisionpower.com/index.php?showtopic=358481

that said I searched until I hit a "do not have permission" with the above and it did not give me the new furl with the topic title. Maybe it has been fixed?

[*José Antonio]

http://community.inv...howtopic=358481

that said I searched until I hit a "do not have permission" with the above and it did not give me the new furl with the topic title. Maybe it has been fixed?

Not yet.

The URL with the title appears only with the post ID, with the topic ID no.

For example, access this URL without being logged: http://community.inv...ost&pid=2240126

You will be redirected to: http://community.inv...26#entry2240126

[Fast Lane!]

So if I were an evil person then I would write a script to basically repeatedly query that url and increment the post number, collecting topic titles. I would log all that came back with the "restricted" message in the html body but save the title tag. I could use that data to collect what otherwise was likely considered private information.

Seems like an issue.

[Matt]

Guys, it's already been fixed.

If you have access to the client forum, grab the topic ID and try and access it via the old index.php?showtopic=x method while logged out.

[*José Antonio]

Guys, it's already been fixed.

If you have access to the client forum, grab the topic ID and try and access it via the old index.php?showtopic=x method while logged out.

Hello Matt, I tested here and it seems that has not been fixed yet.

Access this URL without being logged: "community.invisionpower.com/index.php?app=forums&module=forums&section=findpost&pid=2240126"

[CalendarOfUpdates]

Hello Matt, I tested here and it seems that has not been fixed yet.

Access this URL without being logged: "

community.invisionpower.com/index.php?app=forums&module=forums&section=findpost&pid=2240126

"

I can confirm that I can get the topic title from that link in IE 9 and FF 10.0.2.

[Matt]

Thanks. It's fixed now. :)