Forum    Search    FAQ

Board index » Chat Forums » Suggestions and Comments




Post new topic  Reply to topic  [ 1 post ] 
 
Author Message
 Post Posted: Sun Aug 15, 2021 6:41 pm 
User avatar
Offline
Joined: Fri May 03, 2013 9:56 am
Posts: 387
Location: East of the West, west of the East, north of the South, south of the North Pole.
I hope somebody with administrator access reads this part of the forum, because I have several problems to report. Yesterday I finally managed to regain access to my forum account, having been unable to log in for half a year. That does not mean that my problems are solved. Far from it.

Some time in February (or possibly March) a character encoding bug was introduced in the forum software, causing the server to fail to recognize my username. Suddenly I couldn't log in anymore. All I got was the error message "Incorrect login.". At first I thought it might be a temporary problem with the server, so I waited to see if it would go away. It has not.

Unable to use the forum to contact an administrator, I sought a way to reach somebody by email. I tried the email address mentioned in this announcement. The mail server replied "Account Inactive". I also tried several of the addresses required by RFC 2142, to no avail.

Eventually I tried the passcode reset function. I have not forgotten my passcode. It's safely stored in an encrypted file. I tried the reset function anyway, mostly to be able to say that I had. This exposed two more problems. One is that the forum sends email over unencrypted SMTP, revealing both the confirmation link and the new passcode to every spy on the Internet. There is no valid reason to not enable TLS. The SMTP client doesn't even need a certificate. At least smtp_tls_security_level = may should be set in Postfix. Although that can only thwart passive eavesdropping, not man-in-the-middle attacks, it's better than disabling TLS even when the server supports it.

The other problem with the passcode reset function is that it sends invalid emails. I had to do a workaround in my email server to be able to receive the new passcode. Emails without proper MIME should not be expected to be deliverable.

With that hurdle behind me I tried to log in with the new passcode, and got "Incorrect login." once again, proving that the problem was not with the passcode. The invalid email did however give me a hint at how the forum mishandles usernames. I found that I could log in by mangling my username into "Rombobjörn". Even then something doesn't work right. After logging in with the mangled username yesterday I saw this string at the top of the page:

<ul class="elgg-system-messages"><li class="hidden"></li><li><div class="elgg-message elgg-message-error"><div class="elgg-inner"><div class="elgg-body">profile:notfound</div></div></div></li></ul>

Despite that error I end up logged in, and I can apparently post, but I can't change my passcode from the one that the passcode reset function exposed in the unencrypted email. The passcode-changing function at https://login.sluggy.com/profile rejected the mangled username that the server itself put in the form, which I didn't touch. The passcode-changing function at ucp.php?i=ucp_profile&mode=reg_details said that my current passcode, which I had just used to log in, was incorrect. Most likely that one also fails on the username, but the error message is written with the incorrect assumption that the only thing that can be wrong is the passcode.

By the way, I also see various character encoding errors in the archive. The mishandling of character encodings seems widespread at sluggy.com.

Top 
   
Display posts from previous:  Sort by  
 
Post new topic  Reply to topic  [ 1 post ] 

Board index » Chat Forums » Suggestions and Comments


Who is online

Users browsing this forum: No registered users and 1 guest

 
 

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: