Bugs/Features of this release
* Optimize Search Queries bug needed
* Add Mailing List Subscriber Admin Section to Site admin page. enhancement
* User objects should not each store root email address. bug needed
* View By Date Thread Maintenance Page has some out of order threads bug
* Maintenance Page Search Enhancement. enhancement
* App Thread Search Results should be paged. bug needed
* Instant Email Reply Notification enhancement needed
Not a huge update in this release. Automatic email notifications on replies are back (was requested by other board. I actually forgot it was a feature). I also fixed the search functionality a lot between the admin section and the regular message board. It sometimes used to almost tank the whole site when people would search some queries so I needed to fix that. Site admin section updates were just quality of life changes for myself.
Nothing really interesting for the next release so far besides mostly code clean up. We'll see though.
being performed on the site already. I figured it wasn't even a blip on any radar but I see attacks being performed quiet regularly in the logs.
I guess one of the good things about spoofing .cgi file extension is that all my attacks so far have been for PHP vulnerabilities and none of this site ... more
Requests to try an add crap to the query string:
They don't always use 'A'. They'll just put a single ' in there and see what happens. They just get a 400 response currently.
I also see requests for "/ads.txt"... whatever that is. ... more
I'd have never guessed.
Some webforms accept more data than they provide, with defaults for them. Nice if your page has options, (Google used to accept ?q= or similar) but the bots know that and start looking for that. Some people would do like an admin=true rather than do real security.
And they already know the query string format of the discussion.cgi pages.
As of today I'm seeing them throw even more weird crap into the string. I guess I'll keep an eye on it if anything gets through but doubtful.
I just hope they don't figure out how to post and start spamming things.
that provides more information than you look for? If they provide more information, just delay loading for a few seconds for a minute or so.
I saw something that used random POST/GET parameter names to thwart that kind of attack. Maybe add some sort of key or something? If you regenerate the na... more
When the error page pops up, it doesn't give any more information than "An error happened" and the status code to the user. (The rest gets logged server side).
I also do the same with password reset (Which also has a recaptcha). If you enter a bad email address or bad input it will just say "che... more