1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed profile post comment not inside recent activity

Discussion in 'Resolved Bug Reports' started by Adam Howard, Nov 29, 2013.

  1. Adam Howard

    Adam Howard Well-Known Member

    Cliffs: 200+ profile post spammed, but no way of knowing it because it did not show up in recent activity. I'd call this a bug (or spam exploit / vulnerability ). Because there is virtually no way to monitor the activity on people's profiles.

    edit: Profile comments (I still count those as post)


    Details:

    So we had a spammer slowly crawl over 200 profile. They couldn't post any links because I have an add-on preventing newbie without X amount of post from posting links (http://xenforo.com/community/resources/sonnb-stop-spam-here.1086/) and thank God for that, because after posting on over 200 profiles I'd still call that successful & can only image how much worst it could have been.

    This was a human spammer. Since they made comment in relation to other people. I can only image what a bot would have done.

    So I started asking myself, how did I not notice him crawling all over the site, posting on people's profiles. The answer is that the recent activity does not seem to count profile post. And so it seems to be a free range way of basically having at it.
     
    Last edited: Nov 29, 2013
    erich37 likes this.
  2. Chris D

    Chris D XenForo Developer Staff Member

    Profile posts appear in Recent Activity:

    upload_2013-11-29_11-36-53.png
     
    SneakyDave likes this.
  3. Adam Howard

    Adam Howard Well-Known Member

    Clarification: Profile comments (I still count those as post)
     
  4. Chris D

    Chris D XenForo Developer Staff Member

    Yeah comments on profile posts do not show in recent activity.
     
    Adam Howard likes this.
  5. Adam Howard

    Adam Howard Well-Known Member

    Which as I learned was big vulnerability. 200 post and no one who could do anything about it noticed.
     
  6. xf_phantom

    xf_phantom Well-Known Member

    Profile Post Comments aren't in recent activity
    Profile Post Comments won't be found with the search
    Profile Post Comments can't be reported
    Profile Post Comments can't be edited
    Profile Post Comments can't be soft deleted

    I wouldn't even call them halfbaked:p
     
    Daniel Hood and Adam Howard like this.
  7. Adam Howard

    Adam Howard Well-Known Member

    I just found out one of my competitors had been slowly spamming my site. He was posting links like such

    m y s i t e D O T c o m

    Anyone know sql command to remove all profile post and comments?
     
  8. Adam Howard

    Adam Howard Well-Known Member

    This needs to be addressed.
     
  9. xf_phantom

    xf_phantom Well-Known Member

    the same problem happens also with the IMO stupid implemention of the RM reviews & review comments... (just replace "Profile Post Comments" with "Resource Manager Review & Resource Manager Review Comments") in
     
    Adam Howard likes this.
  10. Adam Howard

    Adam Howard Well-Known Member

    NO.

    I'm not happy that this got pushed back to a "future fix". Because as it stands right now, I could spam the living hell out of XenForo.com or any other XenForo type site and you'd be clueless of me doing it unless someone finally reported it.

    THIS NEEDS TO BE ADDRESSED.
     
  11. Chris D

    Chris D XenForo Developer Staff Member

    I've never seen it used for spam. Presumably XenForo hasn't either.

    Personally I would have put money on this one being "As Designed".

    They obviously consider it a potential but not active risk.

    Best thing to do is not scream, shout and stamp your feet like a child. I'm sure it won't make much of a difference to the decision as it stands.
     
    SneakyDave likes this.
  12. Brogan

    Brogan XenForo Moderator Staff Member

    Bumping a bug report in this manner is not necessary.
    Demanding that it "NEEDS TO BE ADDRESSED" isn't going to make any difference and is frankly not for you to make that claim.

    The developers will deal with it as and when they see fit.
     
    Liam W and SneakyDave like this.
  13. Adam Howard

    Adam Howard Well-Known Member

    I've been hit by this type of attack 4x now on my site. Each time with over a few hundred replies. One attacker managed to do this on EVERY members profile (all 700 members).

    And frankly, yes, I am upset that this got into the "future fix" because it seems like things "future fixes" remind me of vBulletin in that they sit here forever. I love XenForo, but I really do not want this to become a "thing".

    You are right and I am sorry, if my tone is high strung on this. I've said my peace.
     
  14. Jeremy

    Jeremy XenForo Moderator Staff Member

  15. tyteen4a03

    tyteen4a03 Well-Known Member

    Now that you mentioned it, it struck me as pretty odd for profile post comments to be unreportable.

    An addon to "upgrade" profile posts comments to profile posts quality should be pretty easy, but it might be better to just upgrade profile posts comments to profile posts (so you can have n-depth comments).

    EDIT: @Adam Howard, I tested the current system, and it seems like profile post comments are also subject to global post timers, so if you have that on and it is set to a reasonable time, it should discourage the human from abusing.

    Otherwise, you can't report the comment - that's it. Note that the spam cleaner also automatically deals with profile post comments but it seems like there's no option checking whether you want this behaviour or not, maybe @Mike or @Kier can look into it.
     
    Last edited: Jan 22, 2014
    Adam Howard likes this.
  16. Jeremy

    Jeremy XenForo Moderator Staff Member

    This feature was added in 1.5.
     
    Eagle likes this.

Share This Page