Googe searches for memberlist.php

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • MagiKelly
    Member
    • Nov 2005
    • 39
    • 3.5.x
    #1

    Googe searches for memberlist.php

    I was looking through my domain stats and noticed that the site had been found a number of times with search criteria of "memberlist.php", "memberlist.php rk site .uk", "memberlist.php rj site .uk", "memberlist.php jr site .uk" and "memberlist.php si site .uk"

    This was not just one person as the search on "memberlist.php" had 39 people visit the site as a result.

    I know this is not really a fault but it concerned me that people might be searching for this file as there was a weakness in it that they could attack. Do you know if this is the case?
    Tags: None
    • Jake Bunce
      Senior Member
      • Dec 2000
      • 46598
      • 3.6.x
      #2
      I don't know of any exploits with that file.

      Sometimes search spiders will swarm a specific page. Maybe that's it.

        Comment

        • mihai11
          Senior Member
          • Dec 2005
          • 398
          • 3.6.x
          #3
          Originally posted by MagiKelly
          I know this is not really a fault but it concerned me that people might be searching for this file as there was a weakness in it that they could attack. Do you know if this is the case?

          Indeed, there is vulnerability, not in VB but in another forum software called PHPBB.

          Recently I had to completely shut down a board based on this software. In the near future I will update this board to VB.

          What happened ? Very simple: users awaiting in e-mail confirmation state appear in the list of active users for that site – this means that they are displayed by the memberlist.php page.

          You, as an administrator cannot control this. As a result, on "peak days" I had about 30 to 40 bogus new registered users that were creating links to all kind of web sites using the " Website" field.

          What is worse is that they did not need a valid e-mail address in order to create such an account, because they were listed as "active" users even if they were in e-mail confirmation status.

          PHPBB's interface for deleting users is very clumsy – you need to display the user's profile, scroll to the bottom of the page, select something then click a button in order to delete. You can image that it was a nightmare to do this 30 time a day. Not to mention what happens when you leave town for a few days ….. I had once to delete almost 300 bogus users.

          So, this is the current situation: if you put any value on your time, don't use PHPBB for your forums. There are other free alternatives.



          Regards,
          Razvan


          NB:
          IMO it is clear that this is the wrong decision – to put users in e-mail confirmation status in the list of active users. PHPBB's developers have done so in order to make boards powered by PHPBB look more popular.

            Comment

            • mihai11
              Senior Member
              • Dec 2005
              • 398
              • 3.6.x
              #4
              Originally posted by Jake Bunce
              Sometimes search spiders will swarm a specific page. Maybe that's it.
              Search spiders never bother with the Referral field. What this guy saw, is that a lot of people were looking for websites having a file named "memberlist.php". When they clicked on the link in Google the referral field got saved in his web sites logs. This is what he saw later.



              Regards,
              Razvan

                Comment

                • MagiKelly
                  Member
                  • Nov 2005
                  • 39
                  • 3.5.x
                  #5
                  Originally posted by mihai11
                  Indeed, there is vulnerability, not in VB but in another forum software called PHPBB.

                  Recently I had to completely shut down a board based on this software. In the near future I will update this board to VB.

                  What happened ? Very simple: users awaiting in e-mail confirmation state appear in the list of active users for that site – this means that they are displayed by the memberlist.php page.
                  That explains it. I have also had a couple of people who have sent spam messages through the contact page then signed up. These "members" have not done the email conformation thing and I could not see the point in them signing up when they could not post any spam threads. Now it all makes sense.

                  Thanks.

                    Comment

                    • SSandgirls
                      Senior Member
                      • Apr 2007
                      • 175
                      • 3.7.x
                      #6
                      Originally posted by mihai11
                      Indeed, there is vulnerability, not in VB but in another forum software called PHPBB.

                      Recently I had to completely shut down a board based on this software. In the near future I will update this board to VB.

                      What happened ? Very simple: users awaiting in e-mail confirmation state appear in the list of active users for that site – this means that they are displayed by the memberlist.php page.

                      You, as an administrator cannot control this. As a result, on "peak days" I had about 30 to 40 bogus new registered users that were creating links to all kind of web sites using the " Website" field.

                      What is worse is that they did not need a valid e-mail address in order to create such an account, because they were listed as "active" users even if they were in e-mail confirmation status.

                      PHPBB's interface for deleting users is very clumsy – you need to display the user's profile, scroll to the bottom of the page, select something then click a button in order to delete. You can image that it was a nightmare to do this 30 time a day. Not to mention what happens when you leave town for a few days ….. I had once to delete almost 300 bogus users.

                      So, this is the current situation: if you put any value on your time, don't use PHPBB for your forums. There are other free alternatives.



                      Regards,
                      Razvan


                      NB:
                      IMO it is clear that this is the wrong decision – to put users in e-mail confirmation status in the list of active users. PHPBB's developers have done so in order to make boards powered by PHPBB look more popular.

                      The very same thing was happening to me... I was getting 50 of those registrations daily.

                      3 years on phpBB..... my biggest regret is that It took me this long to change over to VBulletin....

                      one week tomorrow and not a single bogus/spam/bot registration.

                      YAY for VBulletin

                        Comment

                        Previous template Next
                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...