Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
  #1  
Old 03-19-2009, 01:16 AM
Peter Ostry's Avatar
Peter Ostry Peter Ostry is offline
 
Join Date: Jul 2008
Posts: 42
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Google/Guest reads an admin thread?

We see at least two Google bots trying to look into an admin forum. What should the screenshot below tell us and how do these bots get into this forum as guests?



Could there be problems with forum permissions? The admin fora are normally not visible for guests or registered users. We haven't checked the serverlogs yet but I call this a serious security issue. Btw, the thread shown in the screenshot was opened by an admin because of this undesirable activity.
Reply With Quote
  #2  
Old 03-19-2009, 01:22 AM
Swampfox Swampfox is offline
 
Join Date: Aug 2006
Posts: 119
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

See the stop sign? they are only viewing the no permissions page
Reply With Quote
  #3  
Old 03-19-2009, 01:49 AM
Peter Ostry's Avatar
Peter Ostry Peter Ostry is offline
 
Join Date: Jul 2008
Posts: 42
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for trying to calm me down but I see only a red image delivered by a software under certain circumstances. We have seen the bots accidently on two different threads, both threads wrapped into an admin-only forum. As vBulletin showed the access, the respective thread was the topmost under a row of stickies. I do not blame vBulletin yet, I am just not sure that these Google crawlers can not read the title of the threads.

We can certainly learn more in a couple of hours when the admin scans the serverlog. But I am currently not relaxed.
Reply With Quote
  #4  
Old 03-19-2009, 02:38 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

A bot is simply an Unregistered user. Check the permissions for that group. And, if you don't believe those, logout of your forum and see what you can see. Whatever you can see is what a bot can see.
Reply With Quote
  #5  
Old 03-19-2009, 02:39 AM
nexialys
Guest
 
Posts: n/a
Default

do you have GoogleAds on your site? any Banners engine? Google Analytics will also check all the pages that you visited, because they log your pages content for keywords etc
Reply With Quote
  #6  
Old 03-19-2009, 05:35 PM
Peter Ostry's Avatar
Peter Ostry Peter Ostry is offline
 
Join Date: Jul 2008
Posts: 42
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I checked the server log and, as an unregistered user, tried many of the URLs called by the Google bots. I saw only the login page. You were right and I am relieved.

One issue remains, the origin of the concern. I can reproduce it with one browser, but it is easier to test with two:
  • I log in as an admin in browser A and browser B.
  • In browser A I go to the restricted admin area and spend some time there, reading threads.
  • In browser B I go to "View who is online" and can observe the way of the admin in browser A. The correct thread title is shown. BUT: the user name is "Guest" and the IP address belongs to a Google bot.
huh?

Is this a bug or do I have a little google glued to my shoes?
Reply With Quote
  #7  
Old 03-19-2009, 05:49 PM
nexialys
Guest
 
Posts: n/a
Default

if you refresh a page from one browser to the other, you are still user X, so you share the session between the browsers, and you are in a single place.. the other detail is the google bot itself, not your other user.
Reply With Quote
  #8  
Old 03-20-2009, 09:29 AM
Peter Ostry's Avatar
Peter Ostry Peter Ostry is offline
 
Join Date: Jul 2008
Posts: 42
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nexialys
you share the session
Sure it's me, this is the point.

---

I did a couple of other tests and guess I know what's going on: it looks like vBulletin's information is accurate and the bot is attached to myself:



Peter Calgary is one of my test accounts and Peter Ostry is my admin account (same IP). The "guest" is a Google bot. It seems to follow Peter Ostry wherever he is. I am the one who ordered the GoogleAds. If this is related, I am not amused about the potential security risk and will remove this stuff as soon as possible. But however, the issue doesn't seem to be vBulletin related.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:07 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04166 seconds
  • Memory Usage 2,215KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (6)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete