No announcement yet.

User home page field - how are untrusted users able to fill it in?

  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] User home page field - how are untrusted users able to fill it in?

    I have vBulletin set up so that anyone can register, but that registered users have very few permissions. When someone posts something that is not spam, I promote them to a custom user group called "Trusted Users" that basically has all the permissions of the default "Registered Users" group.

    I have noticed spammers (or spam-bots) inserting links everywhere possible in their user profile, and then submitting their user profile to the search engines. To prevent this, I turned off the ability for registered users to edit their profiles. In most cases this works, but I occasionally find that a registered user (i.e. untrusted) has managed to fill in their "Home Page" field.

    Does anyone have a clue how they could be doing this? The "Home Page" field does not show up on the registration form...

  • #2
    I'm using the plugin "VSa - Login To User Account". I wonder if that could be opening a security hole somehow... I disabled it. Now just have to wait and see...


    • #3
      It turns out that it was simply a hole in my own permissions. The usergroup "Users Awaiting Email Confirmation" still had the default setting that users can edit their own profiles.


      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.