About user profile sef urls exploits joomla usernames
By Spyros on Friday, 27 September 2013
Posted in General Issues
Replies 6
Likes 0
Views 0.9K
Votes 0
Hi,

i recently installed easydisquss on my website that i have joomla! sef enabled and i realized that all of my website's users and admins usernames are now publicly available.

The profile url ends with the users username , this is serious problem that makes hackers life easier and possible brute force attacks possible.

Please provide a solution because i will be forced to remove the extension from my website asap.

Thank you
Hi!
I want to have the same feature, what is the code used in components/com_easydiscuss/helpers/router.php
Lefteris
·
Thursday, 16 January 2014 08:05
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Lefteris,

I am sorry but unfortunately this requires quite a bit of hacking and I really wouldn't advise you to go through this route now.
Mark
·
Thursday, 16 January 2014 11:44
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi,

i am so disappointed to discover that after 2 version updates after the fix you provided about this crucial issue you have not implemented the fix to the core of the extension.
Security must be the first concern of any extension development and displaying the usernames in public is a bad practice.
Spyros
·
Thursday, 16 January 2014 16:00
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Spyros,

You need to understand the implications behind this. By using names, the id will need to be prepended on the url. We'll see if we can fix this in the next version. In fact, this isn't about fixing but more of a configuration option which allows the user to choose whether they want to display the name or username for URLs. Some people prefer to use usernames over real name for privacy purposes.
Mark
·
Thursday, 16 January 2014 17:30
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark,

i think that the website owner should be the one to decide the security options, with bad security there is no privacy. The ideal solution would be an admin option to decide how urls will be handled like the option you have for "Name format" ( Real name, nickname, username) .

Thank you
Spyros
·
Thursday, 16 January 2014 19:17
·
0 Likes
·
0 Votes
·
0 Comments
·
Noted and agreed
Mark
·
Thursday, 16 January 2014 20:12
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post