Page 1 of 1

Security issues with mobile CCJ and SAM-24A's ban re-started

Posted: Sun Feb 12, 2012 9:06 pm
by The X
Hello,

Before misinformation starts taking hold. I need to let you know of a few matters that have cropped up in the last 30 hrs.

SAM-24A as you know has been banned for trolling. This was to take effect from Wednesday morning.

Sam's ban clock has been restarted as of tonight. He has been informed via email, same way he has chosen to communicate with me.

I recieved an email yesterday afternoon from Sam complaining that he was getting an abnormal error message and demanding that he should be able to view the site without being logged in, with a screen shot attached. A banned member is blocked from logging in but also blocked from viewing the site as guest, that's how the forum software has been intended. Bans are serious bussiness.

As part of investigating this error message with my own test account "GTS_Pete" - I confirmed the error, it just was not displaying the correct ""You have been banned" banner.
During this process of post testing my initial fix, I accidently discovered a glaring security hole with the mobile versions of ClubCJ.net, in that they never checked to see if upon login, that a user is banned and deny them access. In effect any banned user past and present may have been able to log on, as if the ban had not been in effect!

Upon discovering this, I've conducted a sweep of the server logs and can see Sam has been sitting watching chat from his desktop as a guest and accessing various sub-forums from his mobile phone. When anyone accesses any website, digital fingerprints are left on server logs. So it's very easy to build a digital profile and cross match data. The analogy of this situation is that of being told you're not welcome at at a house, but using the defence of entering that house because the door was slightly ajar and having a snoop around. Not on!

I have wasted a good 8-9 hours of my day off and cancelled my plans, to trawling the code and implementing fixes to address this problem on both the Android and iPhone variants of the site.

There are still some outstanding issues I need to fix with the mobile CCJ sites, minor annoyance issues like not updating the last login, etc. Which I will endeavour to address this week.

So there you have it. I'd prefer to be open and transparent about things before rumour takes hold and have unwarranted accusations levelled against me by vested interests. I'm feeling a little bit cheesed off at the moment for having my day's plans ruined and I make no apologies for it, but that's life when you're an admin of site.

PS, I will be working thought the night till morning to get the Constitutional vote results up the new constitutional document and also open up the nominations for elections.