Aug 03

Lack of Time

Work and more work.  And more work.  Trying to get a site launched for work; need to do some work to clear exploits.  Fun.

And to address the culprits of the fun comment e-mail spoofing – thanks for identifying the exploit.  We have your IP, and we’re not pleased.  Regardless of the intention, impersonating the owners of this site, inclusive of any possible misrepresentation of the material on this site is against this site’s terms of use – as would be the case with most sites.

We’re clearing the comments and will be investigating the exploit as time permits.  You want to post as Santa Claus or the Tooth Fairy — feel free.  Do not post as us anymore – we will ban you.  This warning applies to the original exploiter and any copy cats who were curious.

This site was established to keep fans of the MYST community up to date regarding the progression of our project.  We enabled comments as a courtesy and to open communication between the community.  If this is not respected, we can and will shut comments down.

Posted at 1:36 am by Patrick in website
13 others write,
  • MYSTRIVENreply
    Aug 03 2008 10:12 am

    Well at least now you know the flaw that is in your site and hope you fix it so that like I said ,Other’s would’nt do the same.

  • MYSTRIVENreply
    Aug 03 2008 10:30 am

    Oh..by the way Patrick, it was not in my intention to do harm but prevent further things happening to this site.
    Hey…LINKINGLADY?

    Keep up the good work and be honest,you where confused at some point? right. He He He!

  • Artovelireply
    Aug 03 2008 11:20 am

    Whew! I’m glad you guys are on top of this.

  • AndyBlooShoesreply
    Aug 03 2008 11:57 am

    Ahhh sorry I was just sooooo confused. Didn’t mean to give you extra work.

  • Nek'rahmreply
    Aug 03 2008 1:02 pm

    Good to hear this is all fixed :)

  • Patrickreply
    Aug 03 2008 9:10 pm

    Yeah, Patrick can get mean… really though, it’s of no issue. I just needed to put a stop to it before it got any further out of hand. No one should be taking any actions on this site that could result in any user impersonating another user – regardless of intention or cause. I had to put my foot down. The reality is that it’s not fixed yet — hence the decree. If I had the time right now outside of work, Passage, life I would have just fixed it and quietly went about my business. Unfortunately, the exploit is pretty nested inside of WordPress and life doesn’t always loan me the time to make such corrections. No one’s in trouble, no one has been banned, and we don’t hate anybody (well, except for the people that we do).

  • Nek'rahmreply
    Aug 03 2008 11:53 pm

    Oh dear…

    *prays to the Maker that he’s under A&P’s nice list*

  • realXCVreply
    Aug 04 2008 12:49 am

    If you have a few minutes and no idea what to fix exactly, you should try this:
    http://www.dagondesign.com/articles/prevent-author-impersonation-in-wordpress-comments/ .

    It works (I installed WordPress just to try to find a fix for this exploit) and it’s very easy to implement (even for someone with no PHP knowledge).

  • myst fanaticreply
    Aug 05 2008 4:37 pm

    I want to quote Atrus again! “Who the Devil are YOU!!!” ahhhhh…… now that i got that out of my system, i can move on with my life.

  • Patrickreply
    Aug 05 2008 10:51 pm

    realXCV – Thanks for the link. It’s been installed and tested. It works to prevent anyone from impersonating us, but unfortunately, not each other. With some more SQL queries and loops I could probably find a solution for everyone – but it would prevent two guys named Joe posting without warning problems – that and I’m not convinced that I want the system looping thousands of comments each and every time someone tries to post a comment. Thanks!

  • Mystrivenreply
    Aug 05 2008 11:36 pm

    Yeap! It works….I could’nt impersonate Patrick, He He!

  • realXCVreply
    Aug 06 2008 1:04 am

    Same thing for Adrian.

    I guess if you add something like:
    else {
    if ($logged_in_name != $comment_author) {
    wp_die( __(‘Use your own name!’) );
    }
    }
    after the code provided in the link it can help preventing Adrian from impersonating you.

    As for Joe #1 and Joe #2, be careful to not prevent someone from posting just because its IP has changed. I don’t want to have to use a new name every time I try to post something (my IP is dynamic).

    You can also register users on wordpress (as subscribers which gives them no rights except the fact that nobody will be able to impersonate them… or administrators to make them happy) to prevent others impersonating them.

  • Herohtarreply
    Aug 06 2008 3:44 am

    That method works, but the best way would be to check the “Users must be registered and logged in to comment” box, provide a link to the registration page, and set the default user mode to subscriber. That is the easiest way to ensure that no one impersonates anyone else. It doesn’t require anything more of the users (they already have to give an email address) and registering would be a one-time thing.

you write,
NAME*
E-MAIL*
LINK

*Required