Status
Not open for further replies.

vijayninel

New member
Hi,

I am using Advanced User Tagging (Pro) v 2.0.3 on vB 3.8.5 and the problem is that right now guests are able to tag unlimited number of users in threads.

I have set the usergroup options for unregistered users - Is Excluded Usergroup to - yes Unfortunately this is not having the desired effect.

Another major security feature missing in this mod is that there is no way to reasonably limit the number of members that users can tag. Right now any guest can walking and tag tens of thousands of members to multiple threads, potentially crashing the forum.

A DDOS attack using this mod has already taken place as mentioned by this user : vBulletin.org Forum - View Single Post - [DBTech] Advanced user Tagging v2 (vB3)

Please try and put some reasonable limits to the number of members people that can be tagged or mentioned by user groups per day. Like say 100 mentions/100 tags per 24 hrs. This will prevent misuse of this mod for malicious reasons.

Thanks and regards,

vijayninel
 
I am using Advanced User Tagging (Pro) v 2.0.3 on vB 3.8.5 and the problem is that right now guests are able to tag unlimited number of users in threads.
Guests cannot tag users in threads. Are you talking about mentions?

I have set the usergroup options for unregistered users - Is Excluded Usergroup to - yes Unfortunately this is not having the desired effect.
That setting controls whether the usergroup can be targetted for tags and mentions.

Another major security feature missing in this mod is that there is no way to reasonably limit the number of members that users can tag. Right now any guest can walking and tag tens of thousands of members to multiple threads, potentially crashing the forum.
How can that crash a forum? Even if they manage to clog up the DB with the inserts, that's a maximum of wait_timeout seconds the forum is "down".

Not to mention if they actually take the time to do that...

A DDOS attack using this mod has already taken place as mentioned by this user : vBulletin.org Forum - View Single Post - [DBTech] Advanced @user Tagging v2 (vB3)
A Distributed Denial of Service attack is using a large number of machines in order to bring down a server using simple requests like load the home page.

Please try and put some reasonable limits to the number of members people that can be tagged or mentioned by user groups per day. Like say 100 mentions/100 tags per 24 hrs. This will prevent misuse of this mod for malicious reasons.
That is impossible to achieve for guest posting due to the fact that there is no unique identifier that's 100% unique (IP addresses change) - guests have no username.
 
Guests cannot tag users in threads. Are you talking about mentions?

No, guests are able to tag registered members in threads in my forum. You can tag me and check it out here Erodov Forums My username there is vijayninel

How can that crash a forum? Even if they manage to clog up the DB with the inserts, that's a maximum of wait_timeout seconds the forum is "down".

Not to mention if they actually take the time to do that...

Well ... some of the malicious attacks make no sense to me but people do take the time off to do such things. Someone could potentially register and start tagging/mentioning thousands of users and this could create problems.

Some sort of controls would be nice. For instance in vbulletin you can specify the number of tags each user can per thread.
 
Another problem that I am facing is that I get notifications not just when someone quotes me, but also when I quote someone. It makes no sense that I get a notification telling me that I have quoted someone. Please look into this issue as well.

self-quote.png
 
No, guests are able to tag registered members in threads in my forum. You can tag me and check it out here Erodov Forums My username there is vijayninel
Weird that I can't reproduce that on my localhost...

We'll add more usergroup permissions to a future version, though :)

Well ... some of the malicious attacks make no sense to me but people do take the time off to do such things. Someone could potentially register and start tagging/mentioning thousands of users and this could create problems.

Some sort of controls would be nice. For instance in vbulletin you can specify the number of tags each user can per thread.
If you re-post "per-user limitation on tags / mentions" as a feature suggestion we'll take it into consideration for future versions :)

Another problem that I am facing is that I get notifications not just when someone quotes me, but also when I quote someone. It makes no sense that I get a notification telling me that I have quoted someone. Please look into this issue as well.
That's working as intended, but if you re-post that as a separate feature suggestion, we'll take that too into consideration :)
 
Weird that I can't reproduce that on my localhost...

We'll add more usergroup permissions to a future version, though :)

I am able to reproduce this issue on a fresh install of vbulletin on my localhost and I can reproduce this issue on any vb 3.8 forum where your mod has been installed. I just tagged a member (ollysj) in this thread Steelers Vs Texans on the gridironfans.com forums as a guest.

It is regrettable that this thread has been marked as "not a bug" when it can be clearly reproduced in multiple live forums. I urge the dragonbyte-tech staff to re-examine this issue. More new usergroup permissions will be welcome but please check the current issue.
 
I have a work around for this, it will disable the Tag Users button to anyone not logged in to the site.

Open the template DragonByte Tech: Advanced User Tagging Templates/dbtech_usertag_inlinetaglist

Look for this bit of code:

HTML:
<td class="alt1" style="width:100%">
            <input type="button" class="button" value="{$vbphrase[dbtech_usertag_tag_user]}" onclick="YAHOO.util.Dom.get('dbtech_usertag_tagarea').style.display = 'block'" />
            <div id="dbtech_usertag_tagarea" style="display:none;">
                <div>{$vbphrase[dbtech_usertag_tag_user_descr]}</div>
                <div><input type="text" class="bginput" name="usertags" style="width:95%" id="dbtech_usertag_newtags" /></div>

And change it to this:

HTML:
<if condition="$show['member']">
        <td class="alt1" style="width:100%">
            <input type="button" class="button" value="{$vbphrase[dbtech_usertag_tag_user]}" onclick="YAHOO.util.Dom.get('dbtech_usertag_tagarea').style.display = 'block'" />
            <div id="dbtech_usertag_tagarea" style="display:none;">
                <div>{$vbphrase[dbtech_usertag_tag_user_descr]}</div>
                <div><input type="text" class="bginput" name="usertags" style="width:95%" id="dbtech_usertag_newtags" /></div>
                              </if>

That will have to be done in each style you have.
 
Last edited:
Thanks for that information. However the table head was still visible in that so I put it before and after the table like this.

PHP:
<if condition="$show['member']"> 
<table class="tborder" cellpadding="$stylevar[cellpadding]" cellspacing="0" border="0" width="100%" align="center">
<thead>
	<tr style="padding-top:5px;">
		<td class="tcat"><a href="usertag.php?{$session[sessionurl]}do=list&action=tags&t={$threadid}">{$vbphrase[dbtech_usertag_tag_list]}</a></td>
	</tr>
</thead>
<tbody>
	<if condition="$taglist">
	<tr>
		<td class="alt1">{$taglist}</td>
	</tr>
	</if>
	<tr>
		<td class="alt1" style="width:100%">
			<input type="button" class="button" value="{$vbphrase[dbtech_usertag_tag_user]}" onclick="YAHOO.util.Dom.get('dbtech_usertag_tagarea').style.display = 'block'" />
			<div id="dbtech_usertag_tagarea" style="display:none;">
				<div>{$vbphrase[dbtech_usertag_tag_user_descr]}</div>
				<div><input type="text" class="bginput" name="usertags" style="width:95%" id="dbtech_usertag_newtags" /></div>
				<!--DBT_PRO_START--><div><input type="checkbox" name="allfriends" value="1" id="dbtech_usertag_friends" /> {$vbphrase[dbtech_usertag_all_friends]}</div><!--DBT_PRO_END-->
				<div><input type="submit" class="button" name="submittag" value="{$vbphrase[submit]}" onclick="if(YAHOO.util.Dom.get('dbtech_usertag_newtags').value.length == 0 && YAHOO.util.Dom.get('dbtech_usertag_friends').checked == false) { return false; } else { return true; }" /></div>
			</div>
		</td>

	</tr>
</tbody>
</table>
</if>

However I have nine styles and it is difficult to do this for each style. I hope future versions of the software will fix this bug or "not a bug".
 
Since we don't have any usergroup checks in place for preventing guests, the ability for guests to tag would indeed be considered not a bug :)

That being said, I've updated the .xml file with a workaround. If you re-download and re-import, it should no longer be possible :)

EDIT: Both those fixes are incorrect, please revert them after importing the new XML.
 
Status
Not open for further replies.

Legacy Advanced User Tagging

vBulletin 3.8.x vBulletin 4.x.x
Seller
DragonByte Technologies
Release date
Last update
Total downloads
2,502
Customer rating
0.00 star(s) 0 ratings
Back
Top