Urgent - Security issues for private forums

Hi,

A number of issues have come to light this evening over the seccurity of members only forums.

I'm still trying to gauge the severity of this and how well known these issues are but they effect us and other forums.

Could we talk privately as I don't think it is a good idea to advertise these issues?

This is REALLY important.

Thanks

James,

I'm not trying to be clever or anything, but I am currently logged out and can access this thread via your avatar, all I have to do is fill in the code image at the bottom of the posting area to post this. Don't worry, I'm not looking at anything else as I just want to highlight the ease of access, anyway, it's bed time!

Paul.

Thanks very much Paul!

Your input on this is very much appreciated.

Hoping that someone from Nabble will get back to me ASAP

Sure. You can use More->Reply to Author to email me.

Paul, I think you are mistaken. The posts in a user's account page are the Public posts by that user. So, if you made a post in a private forum, it won't show to those who have no rights to see it. In other words, your account page is your public profile.

Will,

We have identified a problem related to deleted posts

I have sent you an eMail with the info.

James

Guess who!

Dave - This is not a secure posting forum and is in the general nabble support section so your post is not a security issue in this case.

The issues lie woth deleted posts.
Further investigations with Paul, Scott, Trevor plus your findings have pinpointed the problem and I'm hoping Will (nabble staff) will get back to me on this ASAP as it is a huge hole in security.

Will - Did you get my last eMail?

Will, Could you please permanently remove all archived threads for our forum.
i.e. the ones that we have deleted but still exist as an archive

This is urgent.

Thank you

James

I replied to your email. Again, I think the security issues are mistaken. It's a usage issue.

Yes, we can, but you need to give me the URLs.

Thank you for the time you have spent helping us out.

We created a bin in our management forum as soon as we pinpointed the security hole.

I now appreciate how this security hole occured and that this was a consequence of not being fully aware of the consequences of our actions.

I now have a better understanding of why this has happened and I would like some guidance please on our working procedures and which options we should use.

The forums are moderated by the management team. We have a principle forum manager who's role it is to remove defamtory posts and to keep the forums on topic.

From time to time we tidy up the forum by deleting old and out of date/inaccurate data some of which may contain highly sensitive information.

To achieve this, we would like officially appointed moderators to be able to permanently delete posts and topics that they have not generated themselves, is this possible to do?

Any help you can provide to achieve this would be greatly appreciated.

Thank you

James

To delete other people's post isn't allowed on Nabble.

I know almost all forums allow that, so we are an exception here.

The reason is just that we care about common users' rights. A common user may say something stupid, and a forum owner can remove it and/or ban that user, but his post is his property, therefore no one else can destroy it. Only in extreme cases, such as law being violated, do we (Nabble admin) delete a post without asking for consent from a user.

If you find this unacceptable, you shouldn't be using Nabble. Sorry to be so upfront about this, we want you to stay on.

The other alternative is to have an installed Nabble on your owner server with your own urls, then your selves are the super admins, you can delete whatever you want.

We are mulling over the idea of having a paid version of Nabble, either by licensing, you install the code on your own server, or perhaps have a separate instance with your url, for example, forum.yourdomain.com - and then to give the owner the same power as ourselves. Let me know if you are interested in this kind of setup.

Hi,
I appreciate the advice but!
Your arguments are totally flawed.

Why should a private message on a private forum be allowed to be read in a public forum just because it has been removed?

It makes a total mockery of having a private forum.
Bearing in mind that the message was removed because there was no option to delete in the first place.

You are also contradicting yourselves with the point about somebodies post remaining their property and therefoe should not be deleted.

You have the facility to delete posts in this forum that are not made by yourselves so why keep it to yourselves?
It is surely logical that if you would want this option then so would others. A little bit hypocritical me thinks.

Mid-January, I created a private sandpit in which my colleagues can play.

My colleague Sheridan posted a test message to that private forum, in private I replied.

Following this security-related topic: today, I removed her post from that private sandpit.

A few minutes later, <http://n2.nabble.com/user/UserNodes.jtp?user=169829> reveals to the public that previously private post, with my previously private reply.

That is sandpit material, so I don't mind it being in the open, but I do agree that removal from a private forum must not equal publicity.

(Normally, I never discuss security issues in public, but this one is already public.)

Regards
Graham

Yes, I think what you and James said are reasonable.

Thanks for raising your voice on this. Let me discuss this with the team and try to find a reasonable solution.

Thankyou..

I would also like you to re-consider the issue of deleting posts from a public forum.

As a forum owner I can, I believe, be held to be legally liable for the content of the forum.
How are we supposed to deal with discussions that have legal implications. If we can't delete them but only remove them then the legal responsibility transferrs to you as this is no longer on my forum but in your history.

I can think of many subjects that could cause problems including libellous comments, racism, illegal activities to name but a few.

The implications of not being able to delete are extremely scary for yourselves as well as forum owners.

The idea of free speach is something I totally uphold and it is great that this is what you are aiming for but I don't think that not allowing posts to be deleted by appointed members with that responsibility is the solution.

The world has gone mad for political correctness and the media are in great danger of destroying free speach in the U.K. with recent activities involving prominent presenters on the television and I think that the most recent comments made by Jeremy Clarkson about Gordon Brown were both amusing and accurate, however personal attacks on other people should be allowed to be moderated as well.

It's a minefield and the route you choose to navigate through this should be chosen very carefully.

Graham Perrin wrote

removal from a private forum must not equal publicity.

As an owner of a private forum, let me add my vote. I agree with Graham's point 100%. Any other view flouts the whole notion of private forums, IMO.

I'd suggest that the proper consequence of removing a post from a private forum ought to be that the post is then accessible only to the original poster. That way the poster retains ownership of the original, but there's no breach of privacy. This might be the sensible consequence of removal from a public forum as well.

Hi!

I was just checking in the forum about security issues and stumbled over this one-year old issue.

How was it solved? Is it still like Graham rightfully complained, that removed topics all of a sudden become public (without knowledge of the owner?).

And what about general security issues ... how much gaurded is a private forum from somebody who professionally wants to hack himself into the system? This is very important for us to know.

Admin ProSchulreformHH wrote

How was it solved? Is it still like Graham rightfully complained, that removed topics all of a sudden become public (without knowledge of the owner?).

This issue was solved. When a post is removed from a private forum the post continues to be private and accessible only to the users that participate in that discussion.

Admin ProSchulreformHH wrote

And what about general security issues ... how much gaurded is a private forum from somebody who professionally wants to hack himself into the system? This is very important for us to know.

The security is implemented by our code and information is only delivered to the right users. I am not sure what kind of explanation you would like see for here.