HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


security (spoofing) issue with deleted member accounts

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#67950 (In Topic #14468)
Avatar

Community saint

I just did a test where my user "testMember" deleted himself.

I was then able to create a new user also called "testMember".

Although internally ocPortal identifies the user as "testMember_2", "testMember" is what appears in the members list, posts, etc.

This can lead to intentional/accidental spoofing of old user accounts where the casual user will not be able to distinguish between the two.

ocPortal should not have let me create "testMember" the second time around.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#67960
Avatar

I'm not sure there's a good solution to this. We'd need to make some kind of DB change to actually not delete member rows, but I don't think it would really make it more secure because there are lots of similar-looking characters in unicode (or even just whatever character list is active) that could allow similar spoofing.
If it is an admin account that is deleted, then the staff could put it in the prohibited usernames list (which I'm going to document).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#67979
Avatar

Community saint

I think there is a fairly easy solution for this.

1) Create a new deleted_users table (or other appropriate name of course).

2) on account deletion, place user name in this table. (You might want to place other auditing info like deleted_on, deleted_by_IP, deleted_by_user_ID, deleted_group_membership)

3) on account creation, after doing normal user name validations, check this table as the last step.

So this way you can actually the user details as normal and just maintain a historical list of names for added security.

As for your "but I don't think it would really make it more secure because …" comment, that type of argument can be said about a lot of small security fixes. Minor they may be, they get fixed anyway to try and plug as many holes as possible/practical.





Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#67985
Avatar

Please add to the tracker if you'd like us to consider. I don't consider this a bug or security hole, but more of a social engineering possibility.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: