bbunnelle

Friends
Empty
Add new...
 
Added a discussion 

I was informed by a fellow web developer that there is a possible SQL injection vulnerability in csrf_token.Β 

Is anyone else aware of this? It's both the token and 1=1 that is able to be injected.

  • 695
    • Is there a developer that can take a look into this? The issue is a pretty big deal.Β 

      πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
      • It can't be SQL injections in csrf_token because all MySQL queries related to CSRF are written using prepared statements.Β 

        If you can show how to reproduce the issue via private message and please specify what version of UNA you are using, we'll investigate it more carefully and make an urgent fix.


        πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
        • I will gather my details related to this and PM you this afternoon. Thank you for getting back to me.

          πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
          Not logged in users can't 'Comments Post'.
          Added a discussion 

          I have a few discussions that are configured in a manner where the most recent comment would be nicer if it was at the top. I have a "Site Updates and Changes" thread that you have to scroll all the way to bottom of to see the most recent update.

          Is there any way to change the order of the comments?

          If there is another way i should be using this module, please share.

          • 671
            • A Group would show most recent posts first, but then you face the same issue of comments within the posts... A designated Group would also allow members to join/follow as necessary.Β 

              For example, you could create a group where you (or admin of the group) would be the only one allowed to create posts. Then your most recent post (used in place of comment) would always show at the top.


              Discussions, (in your case) could be a specific news article or forum for proposed legislation... Which a Group can also contain their own DiscussionsΒ as well.

              πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
              • I would agree with James Cherry - the Discussions are much like a forum, with browsing by β€œupdated first” and replies in β€œoldest first” sequence, as replies can follow each other in context.

                For something like site updates you could use Posts module and create new Post for each update. You can group them into a category, Group or Channel. Use category if it’s just for schema, use Group if you want to control privacy and use Channel (with pre-created label) if you want to post to a context that may have multiple Β content types across the site.

                πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
                • I appreciate your help!

                  πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
                  Not logged in users can't 'Comments Post'.
                  changed a profile picture 
                  • 495
                  Added a discussion 

                  I am looking for some assistance with the default "entity_info" and "entity_info_full" information in the account profiles. It seems the email address, IP address and status are hardcoded information to be presented publicly. Is there a way to hide these values from the profiles other than making the entire account private?

                  • 645
                    • I believe only the 'Admin' roles can see that information. If you make a test account and set it to be at a normal user level, you should be able to see from a members point of view, and that information is not shown.

                      If a member level is able to see that information, go through your Permissions settings within Studio, Admin roles may have accidentally been assigned to another level.

                      πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
                      • Thank you so much! I am looking into the permission levels now.

                        It seems that you are correct that Standard members cannot see what the Admins can.

                        I appreciate your fast response and hope that I can also contribute to the community in the future.

                        πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
                        • bbunnelle I'm sure you will. I have been at this for almost a month and have zero background in this stuff and I'm fumbling my way through just fine! You'll get the hang of it.
                          I try to help with the 'easy' things that way the other folks are freed up to help me with my problems! πŸ˜‰Β 

                          πŸ’“0 πŸ˜†0 😲0 πŸ˜₯0 😠0 0
                          Not logged in users can't 'Comments Post'.
                          Achievements

                          Apprentice

                          Total points: 61

                          40.1 point(s) to reach
                          Info
                          Location:
                          Strasburg, OH, United States
                          Gender:
                          Man
                          Friends count:
                          Followers count:
                          Full Name:
                          bbunnelle
                          Membership
                          Premium
                          bbunnelle Discussions
                          •  ·  695
                          •  · 
                          I was informed by a fellow web developer that there is a possible SQL injection vulnerability in csr…
                          •  · 
                          •  · 
                          •  · I will gather my details related to this and PM you this afternoon. Thank you for getting back to me…
                          •  ·  671
                          •  · 
                          I have a few discussions that are configured in a manner where the most recent comment would be nice…
                          •  · 
                          •  · 
                          •  · I appreciate your help!
                          •  ·  645
                          •  · 
                          I am looking for some assistance with the default "entity_info" and "entity_info_full" information i…
                          •  · 
                          •  · 
                          •  · bbunnelle I'm sure you will. I have been at this for almost a month and have zero background in this…

                          UNA - Network Infrastructure for Communities

                          Close