Thread: New Posting Features - QHSF Private Thread
View Single Post
  #53  
Old 01-26-2009, 08:44 PM
Rene Kriest Rene Kriest is offline
 
Join Date: Jun 2008
Location: Germany ./. Reality
Posts: 157
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Hello folks!

I am finally back after some testing and I also had a look at the source code of this addon aswell.

To make it short:
  1. This addon is save only under certain additional conditions which need to be set by an admin
  2. The addon has no flaws
Kinda paradoxical, or? But read on!

Here are now the results of my investigations regarding the so-called security flaws

The "search postings" issue is a flaw but not of the addon but of the cache.
You need to rebuild your search index cache to make the addon work 100%. After rebuilding there will be a message in the search posting preview "This is message from private thread". Technically the addon is flawless - the problem is the forum search cache.

How to fix that issue
  • Rebuild your cache often via cron
  • Allow the addon only in certain forums which aren't searchable
  • Allow the addon only in certain forums which are restricted to certain usergroups only, but take care: then the problem applies to the members of the usergroup itself if you do not alter the search rules to the forum
  • Turn of "posting preview" or reduce the number of letters (standard: 200, to be found in search.php)
  • Use a spoiler to at least 200 letters for each posting
My suggestions
Use the addon only in forums where the search function is put off or at least restricted to titles only.

Rebuildung your Search Index Cache somehow sucks, because of the time gaps and the huge server load it creates.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01106 seconds
  • Memory Usage 1,765KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete