Comments on: Cruciforum: crucially simple http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple scratched tallies on the prison wall Tue, 02 Dec 2008 20:53:55 +0000 http://wordpress.org/?v=2.6.5 By: OpenCycleRoute » Blog Archive » Discuss http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-107538 OpenCycleRoute » Blog Archive » Discuss Mon, 11 Feb 2008 23:54:13 +0000 http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-107538 [...] while back I added a simple discussion forum for opencycleroute.org, based on cruciforum by Stuart [...] [...] while back I added a simple discussion forum for opencycleroute.org, based on cruciforum by Stuart [...]

]]> By: Matt Round http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99720 Matt Round Thu, 18 Oct 2007 13:41:22 +0000 http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99720 CSRF isn't much of an issue in this case, but it could be abused to make innocent users post on behalf of a spammer (when they visit a site set up by the spammer or a site compromised by XSS). You then wouldn't be able to usefully use IP for blacklisting, and if the spammer's site used HTTPS then there'd be no referer to block either. Like I said, it's not a major issue though, particularly if the chosen anti-spam measures rely upon content and user interaction rather than IP/referer. CSRF isn’t much of an issue in this case, but it could be abused to make innocent users post on behalf of a spammer (when they visit a site set up by the spammer or a site compromised by XSS). You then wouldn’t be able to usefully use IP for blacklisting, and if the spammer’s site used HTTPS then there’d be no referer to block either.

Like I said, it’s not a major issue though, particularly if the chosen anti-spam measures rely upon content and user interaction rather than IP/referer.

]]> By: Cruciforum, then. « Exploring Freedom with Matt Lee http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99717 Cruciforum, then. « Exploring Freedom with Matt Lee Thu, 18 Oct 2007 00:55:32 +0000 http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99717 [...] 18th, 2007 · No Comments Cruciforum - a really (really) simple forum, written inPHP. [...] [...] 18th, 2007 · No Comments Cruciforum - a really (really) simple forum, written inPHP. [...]

]]> By: sil http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99715 sil Tue, 16 Oct 2007 15:33:14 +0000 http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99715 Matt: I'm not sure how CSRF applies here. Yes, I could trick your browser into posting as you to a Cruciforum from some other site, but then I could just go to the forum myself and post as you too. There are no identity guarantees. I can't think of a reason why I can't go to some forum you don't know about somewhere else and sign up as mattround, either. I can't fill in my email address as being yours, because I'll fail verification, but I can say "I'm Matt Round and my website is malevolent.com" on every weblog comment form in the land without any problem. Unless we're prepared to demand (not allow, but _demand_) something like OpenID or some trust metric, that's just the way it is. If that counts as CSRF, then Cruciforum isn't any more vulnerable than half the rest of the internet.<br /> <br /> Anti-spam, yes, and http://www.kryogenix.org/bugs/cruciforum/spam-protection.html discusses precisely that. Matt: I’m not sure how CSRF applies here. Yes, I could trick your browser into posting as you to a Cruciforum from some other site, but then I could just go to the forum myself and post as you too. There are no identity guarantees. I can’t think of a reason why I can’t go to some forum you don’t know about somewhere else and sign up as mattround, either. I can’t fill in my email address as being yours, because I’ll fail verification, but I can say “I’m Matt Round and my website is malevolent.com” on every weblog comment form in the land without any problem. Unless we’re prepared to demand (not allow, but _demand_) something like OpenID or some trust metric, that’s just the way it is. If that counts as CSRF, then Cruciforum isn’t any more vulnerable than half the rest of the internet.

Anti-spam, yes, and http://www.kryogenix.org/bugs/cruciforum/spam-protection.html discusses precisely that.

]]> By: Matt Round http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99714 Matt Round Tue, 16 Oct 2007 14:33:39 +0000 http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99714 The simplicity is refreshing, but releasing it without anti-spam/validation/anti-CSRF/throttling measures makes me wince a little. Anyone installing this version will be wide open to abuse. The simplicity is refreshing, but releasing it without anti-spam/validation/anti-CSRF/throttling measures makes me wince a little. Anyone installing this version will be wide open to abuse.

]]> By: N. http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99711 N. Tue, 16 Oct 2007 08:13:31 +0000 http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99711 Why does the name make me think someone's been reading too much JK Rowling... :) Why does the name make me think someone’s been reading too much JK Rowling… :)

]]> By: Adriatic http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99710 Adriatic Tue, 16 Oct 2007 07:26:54 +0000 http://www.kryogenix.org/days/2007/10/16/cruciforum-crucially-simple#comment-99710 Cool name! You seem to be Dan Simmons fan (just like myself :-) Cool name!
You seem to be Dan Simmons fan (just like myself :-)

]]>