Forum Replies Created

Viewing 15 replies - 1 through 15 (of 18 total)
  • i cannot vet all my registered members to have any confidence that someone won’t sell all these e-mails for marketing or other purposes. most of them are using disposable e-mails because they’re afraid of getting spammed. it turns out that they had a good reason to register that way.

    i’ve been a software developer for a long time. calling a bug a “feature” is something we laugh about all the time.

    it’s obvious that it was a mistake because of the care taken everywhere else in the code to keep people at the lower levels from seeing other people’s registration information.

    if LesBessant is right and this information leak is intentional, then why is this the only place (that i could find so far) where private registration information (and all the IPs that were used to make Comments) are publicized?

    my blog users have an expectation of privacy when they register. they don’t want their e-mail blasted all over the internet.

    so why can’t logged -in members see each other’s Profiles?

    and why does WP give people a choice whether they want to display their login, or just their first name, or both first and last?

    and why can’t logged-in members click on someone’s handle to send them an e-mail?

    it’s because WP intended that information to be kept private … but it isn”t. so that’s a bug!

    i’ve had to make so many fixes to the silly thing that i’ll never bother to upgrade. it’s badly coded and not modular at all. i’ve had to patch ten different routines already and have only been using it a month.

    after fixing the security hole in menu.php that exposes all Commenter’s private information that WP tries to protect everywhere, this is the corresponding hack to wp-register.php to tell people that their e-mail is kep private:

    <form method=”post” action=”wp-register.php” id=”registerform”>
    <label for=”user_email”><?php _e(‘E-mail: (kept private and never displayed)’) ?></label>
    <input
    type=”text”

    It is a security hole. Anyone who is Level 2 (the minimum needed to avoid the silly Draft publish) cab look at *anyone’s* e-mail address and IP … they can look at all the e-mails of everyone who has ever made a comment.

    This display of all other member’s e-mails is not limited to showing someone who has made a comment on that person’s post.

    A new member with no posts or comments can see the e-mails of everyone who has made a comment. Well, WP does not allow that for Posts (whose e-mails are kept private), it only exposes e-mails of those who have made Comments.

    That is a BUG and a SECUITY HOLE!

    Somewhere in the template files it says that e-mails are not published. That’s not true!

    If you want
    put out for every Level 1 member to see.

    This is definitely a bug in 1.5.1.1 that it exposes all Level 2 member’s e-mails who have made Comments so that they can all see each other’s e-mails and IPs. This despite the WD claim that blog member’s e-mails are kept private from other members. It is a big security hole.

    The security hole does not seem to affect those who have made Posts, it apparently only exposes private information for those who have made Comments. It is a bug in edit-comments.php which exposes e-mails and IPs of everyone who has made comments without checking their user-level.

    The easiest kludge is to turn off their ability to Manage/Comments/View by changing menu.php so that Level 3 is required to access edit-comments.php at all. Since it’s a WP bug, it’s more important that i protect my member’s privacy than rewrite edit-comments.php to let lower-level members view only their own private information.

    Since all my members are Level 2, i can keep them from seeing each other’s private information by making this change to menu.php:

    in menu.php, change
    $submenu[‘edit.php’][20] = array(__(‘Comments’), 1, ‘edit-comments.php’);
    to
    $submenu[‘edit.php’][20] = array(__(‘Comments’), 3, ‘edit-comments.php’);
    and then Level 3 is required to see other people’s private information.

    This is definitely a bug in 1.5.1.1 that it exposes all Level 2 member’s e-mails who have made Comments so that they can all see each other’s e-mails and IPs. This despite the WD claim that blog member’s e-mails are kept private from other members. It is a big security hole.

    The security hole does not seem to affect those who have made Posts, it apparently only exposes private information for those who have made Comments. It is a bug in edit-comments.php which exposes e-mails and IPs of everyone who has made comments without checking their user-level.

    The easiest kludge is to turn off their ability to Manage/Comments/View by changing menu.php so that Level 3 is required to access edit-comments.php at all. Since it’s a WP bug, it’s more important that i protect my member’s privacy than rewrite edit-comments.php to let lower-level members view only their own private information.

    Since all my members are Level 2, i can keep them from seeing each other’s private information by making this change to menu.php:

    in menu.php, change
    $submenu[‘edit.php’][20] = array(__(‘Comments’), 1, ‘edit-comments.php’);
    to
    $submenu[‘edit.php’][20] = array(__(‘Comments’), 3, ‘edit-comments.php’);
    and then Level 3 is required to see other people’s private information.

    ok. found the problem when i got that 404 error myself clicking on the CSS link in my post. it’s in the right place but there’s no world read permission

    uploading the wordpress files from my PC to the new server set the unix permissions to 600. the CHMOD should be 644 and the folders should be 711 (i think). I don’t know why F-Secure usually usually screws up the file permissions on PC-to-unix transfers and makes a lot of them private. Most of them were world readable or else i could not see Admin Panel or the blog on the server with a remote browser. Anyway … Thanks for your help!

    Exactly the same problem of no CSS formatting occurs with Firefox and with IE 6. The lack of formatting is for both the admin screen (Dashboard) as well as the blog display.

    Both Admin and Blog pages validate as good XHTML and it source code for the main page.

    The problem occurs for both Default and Classic themes. Here is a listing of the source code for the page and you can see on line 11 that it’s referencing the stylesheet. This is how the source code for http://maccs2support.chaninconsulting.com displays in the XHTM validator. I’ve tried putting wordpress in a subfolder (chaninconsulting.com/blog) and it give me exactly the same problem.

    The wordpress files for 1.5.1.2 are installed in the root of a subdomain folder: http:// maccs2support.chaninconsulting.com, as follows:

    1: <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”&gt;
    2: <html xmlns=”http://www.w3.org/1999/xhtml”&gt;
    3:
    4: <head profile=”http://gmpg.org/xfn/11″&gt;
    5: <meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
    6:
    7: <title>MACCS2SUPPORT » Uncategorized</title>
    8:
    9: <meta name=”generator” content=”WordPress 1.5.1.2″ /> <!– leave this for stats please –>
    10:
    11: <style type=”text/css” media=”screen”>
    12: @import url( http://maccs2support.chaninconsulting.com/wp-content/themes/classic/style.css );
    13: </style>

    Just some more information. My webserver is running Apache 1.3.33 and i’ve tried installing it both in the root of mysubdomain.mywebsite.com as well as a blog subfolder off my public_html folder: http://www.mywebsite.com/blog . In both cases, setting the blog location and the wordress install location to the same values under Options does not fix the problem as it did on my previous web server.

    Why would it not be processing the CSS files? My blog has no comments and my original blog is still running on the old server so i deleted the database (instead of trying to import it)) and recreated a new database that’s empty. WordPress is hooked up to the databse just fine. I can add users and make posts but everything is displayed in unformatted text.

    Please help me.

    I’m having the same problem. i just did a clean install of 1.5.1.2 and neither Default or Classic is using their CSS files. All i get are plain HTML pages without formatting.

    This happened to me before with 1.5.1.1 when i set my blogname different from the wordpress install location— making them the same solved the problem.

    No luck changing vars.php. None of these changes let me log in with IE6 default security settings:
    —–
    // Changing path for cookies so that they are based on same URI as the blog’s domain name
    define(‘COOKIEPATH’, preg_replace(‘|https?://[^/]+|i’, ”, get_settings(‘home’) . ‘/’ ) );
    //define(‘COOKIEPATH’, preg_replace(‘|https?://[^/]+|i’, ”, ‘http://www.maccs2support.com&#8217; . ‘/’ ) );
    //define(‘COOKIEPATH’, preg_replace(‘|https?://[^/]+|i’, ”, ‘http://maccs2support.com&#8217; . ‘/’
    //define(‘COOKIEPATH’, preg_replace(‘|https?://[^/]+|i’, ”, ‘www.maccs2support.com’ . ‘/’

    //define(‘SITECOOKIEPATH’, preg_replace(‘|https?://[^/]+|i’, ”, get_settings(‘siteurl’) . ‘/’ ) );
    define(‘SITECOOKIEPATH’, preg_replace(‘|https?://[^/]+|i’, ”, ‘http://www.maccs2support.com&#8217; . ‘/’ ) );
    define(‘SITECOOKIEPATH’, preg_replace(‘|https?://[^/]+|i’, ”, ‘http://maccs2support.com&#8217; . ‘/’ ) );
    define(‘SITECOOKIEPATH’, preg_replace(‘|https?://[^/]+|i’, ”, ‘www.maccs2support.com’ . ‘/’ ) );

    OK, the easiest solution is to turn off cookies and that will avoid the third-part cookie problem. They wll not have a persistent session. I’ve already wasted two days on this.

    Can anyone tell me how to to turn off cookies in WP 1.5..11.1??? Thanks!

    OK, the IBM P3P Editor is easy to use and i have the XML file. The problem is how do i insert a link into the WordPress file(s) so that it find my privacy file (in XML)? Also, how do i set up the compact privacy (CP) string for WordPress?

    I can’t believe i’m the only one who wants to have a WP blog accessible with the default security settings of IE 6. Most people at work don’t have a choice on what browser to use or its security settings. This seems like a major deficiency of the WP software.

    Ok, i’ve figured out the the Privacy Policy genertor at
    http://www.canadiancontent.net/en/jd/go?Url=http://www.p3pwiz.com
    is not generating well-formed XML for my privacy policy file:
    http://validator.w3.org/p3p/20010928/header.pl?mode=line&uri=http://www.maccs2support.com/w3c/p3p.xml

    Even though the link to the P3Pv1 file is right after the <HEAD>, the P3P Validator is saying that it can’t find it. I guess i have to use the IBM Ploicy Generator, even though many say it’s hard to use.

    Here is what i get from the P3P Validator even though the link is in there:
    —–
    Step 1-2: Syntax check

    /w3c/p3p.xml is NOT an well-formed XML file

    .

    mismatched tag at line 6, column 2, byte 129:
    <TITLE>MACCS2 Support Forum</TITLE>

    </HEAD>
    =^
    <FRAMESET ROWS=”100%,*” BORDER=”0″ FRAMEBORDER=”0″>
    <FRAME SRC=”http://www.davidchanin.com/blog1/w3c/p3p.xml&#8221; SCROLLING=”AUTO” NAME=”bannerframe” NORESIZE>
    ——————————————————————————–

    Step 2: HTTP Protocol Validation ( HTTP headers )

    HTTP headers have no P3P: header.

    ——————————————————————————–

    Step 3: HTML File Validation

    HTML document has no P3P compliant link tags.

Viewing 15 replies - 1 through 15 (of 18 total)