October 17th, 2004, 06:24 PM
AntiOnline Addicts information disclosure
"Members <250 posts" know that there
is a forum called AntiOnline Addicts, however the
posts are not accessible. Fine with me,
However, I am a bit puzzled that I get
information about thread-titles like
"Windows 2000 Server Password Cracking" using either the search engine, the "last 20 posts by username" and/or "all posts by username".
I just wanted to report that issue -
it looks like some inconsistency in the
security measures to me.
Maybe it's just a feature
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
October 17th, 2004, 09:15 PM
There are many way's that non-addict's can view information and threads in the Addict's forum. It isn't really a bug per-se, but more a method/way to do so without being granted actual access.
October 17th, 2004, 10:32 PM
Seeing the actual thread is hard but the rest, pretty easy
October 18th, 2004, 01:14 AM
SDK: Actually, seeing the whole thread is easy.. it's seeing the whole forum which is tricky. Even that though can be done.
October 18th, 2004, 05:57 AM
Really? Does mnstrgrl know what and plan to fix it?
October 18th, 2004, 06:52 AM
I've plugged a lot of holes for access to the addicts forum, but it seems like new ones pop up all the time. Thread titles I'm not so concerned about, but I'd like to keep members w/o access from reading whole threads. If you guys want to be helpful, you can PM me the methods you've uncovered, and I can look into plugging them.
I'm not mean. You're just a sissy.