XF 1.5 How to prevent users to get access to all the users in the forum?

N

namegreat

New member
Right now any users can get access to the list of all the users that has ever registered to the the forum with simply changing the number next to the user name.
How can this be prevented?
 
Sort by date Sort by votes
If I got you right you want to disable the members list, well you can do that buy uncheck this option by going to ACP > Setup > Options > User options.
 
Upvote 0 Downvote
Users can still see all the users in the forum by changing the number next to the members/username.4/.
If you change the number to "3" it will display the user so basicly every user can see all the users that ever registered and spam them.
 
Upvote 0 Downvote
Yes but then users can not see profiles at all... Surely there is a more elegant way of making the forum database of users without this exploit?
I mean its either users can see all the users that ever registered or users cannot access users profile at all.
No other way to allow users to see users that post but not users that never post?
 
Upvote 0 Downvote
I mean I have 2 options now, either to not allow all the users to see other users and rendering my forum basically useless or allow every new users that register getting spammed on the second he registers.
when changing the number next to the user name it should NOT give users the user profile in that number! its a bug that seems to be in all the version of this forum.
Surely there is a fix for this simple exploit? it is such an expensive forum and it is completely useless because of the way it builds the users database.
 
Upvote 0 Downvote
namegreat said:
How can this not be a bug?
Just copy this link and change the number and it will take your to the profile of the user in that number.
https://xenforo.com/community/members/namegreat.168483/
for example I change to your number (3084) and it will take me to your profile
https://xenforo.com/community/members/namegreat.3084/
This is an exploite that does not exist in other forums.
Click to expand...

This is how XF deals with members URL's. And @Mike or @Chris D or @Kier can confirm this.
 
Upvote 0 Downvote
namegreat said:
This is an exploite that does not exist in other forums.
Click to expand...
Actually, it's pretty much how every single forum software works, ever.

Invision:
https://invisioncommunity.com/profile/582164-creative-random/
https://invisioncommunity.com/profile/582165-creative-random/

Woltlab:
https://www.woltlab.com/user/1478288-powermax/
https://www.woltlab.com/user/1478289-powermax/

vBulletin:
https://www.vbulletin.com/forum/member/286437-nevan
https://www.vbulletin.com/forum/member/286438-nevan

phpBB:
https://www.phpbb.com/community/memberlist.php?mode=viewprofile&u=236418
https://www.phpbb.com/community/memberlist.php?mode=viewprofile&u=236419

Everything in a web application needs an ID to identify it. Sometimes that ID is a number, other times it is a string (like Twitter).

If a user has a particular problem that their profile could be found in this way, or has other privacy concerns, they can just use the privacy settings on their profile.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Claraviolet
  • Solved
XF 2.2 How to update all the users to get alerts for their threads?
Replies
3
Views
385
Mr Lucky
Mr Lucky
Rom
  • Question Question
XF 2.1 How can I change the date of all users' last activity to the date of their last post in the database?
Replies
5
Views
773
⭐ Alex ⭐
⭐ Alex ⭐
Oldengine
  • Suggestion Suggestion
Lack of interest We NEED to Find Our USERS in the Database
Replies
4
Views
716
Kirby
K
Chernabog
Add-on Force new users to post in a forum prior to having access to the rest of the site... I thought I've seen an add-on like that.
Replies
4
Views
702
Chernabog
Chernabog
azamat.g
XF 2.0 How to get access to object from my addon in global templates?
Replies
0
Views
442
azamat.g
azamat.g
Back
Top Bottom