Jump to content
TJ09

2017-06-13 - Important Forum Notice

Recommended Posts

I've recently been made aware of a security issue with the forum software. This issue would have allowed someone to access sensitive account data, such as e-mail addresses and encrypted passwords. I believe I have found the issue and fixed it to prevent further exploitation (as well as made as few changes reduce the chance of future security holes). This issue only affected the forums. Dragon Cave itself runs from a separate server and was not affected.

 

I do not have concrete evidence that any data was actually shared beyond the person who originally reported the issue to me; however, I strongly recommend changing your forum password. If your forum password is the same as some other site, you should change those passwords as well. In general, sharing passwords between sites is a bad idea for exactly this reason. There are tools that can help you manage unique passwords per-site, such as 1Password, KeePass, or LastPass.

 

While the security hole has likely been plugged, it does little to stop the sinking ship that is 14-year-old forum software. The forums have been showing their age for quite some time and are likely a single software upgrade away from falling apart. While I've been slowly working through the process of upgrading to software that is actively maintained, in light of this issue I'm going to be immediately prioritizing this. I don't yet have a timeframe, but the goal is ASAP.

 

After evaluating several possibilities (such as IPS 4, PHPBB, and vBulletin), the best option appears to be staying with Invision and upgrading to the latest version. The software has changed significantly in the last decade, but I believe it can be sufficiently customized to avoid too much churn. If you have any questions or concerns about this upgrade, feel free to voice them here (yes, I already know of a number of things that people don't like about the new version; don't worry).

Share this post


Link to post

Thank you, TJ, for letting us know and for taking care of the situation.

 

My paypal was also compromised recently, not sure if it had anything to do with this, but just putting it out there so others know. I did have the same password for both, lesson learned.

Edited by sara4cows

Share this post


Link to post

I'm rather happy that you don't plan on going to vBulletin *shudders*

 

Thanks for the heads up smile.gif

Share this post


Link to post

I know FeralFront migrated forums some time ago and everyone hated it, but I quite liked the new one (although a lot of functionality was gone.) I'm sure a newer forum would have not only better security but probably also more functions. anyways

Share this post


Link to post

Thanks for the heads up smile.gif

Share this post


Link to post

Thanks heaps; password changed.

 

Issue already raised last time you suggested this - will you be able to find a way to archive messages to our computers ? (Yes I'm one who hates the LOOK of the place as it would be on the latest version, and the "conversations" instead of messages thing - but that I CAN live with for security.)

Edited by fuzzbucket

Share this post


Link to post

Password changed, thanks for the heads up.

Share this post


Link to post

Thanks for the notice - it was about time to change that old password of mine anyways. ohmy.gif I'm glad I haven't been using the same one on other sites for a while now.

Share this post


Link to post
Guest
This topic is now closed to further replies.


  • Recently Browsing   0 members

    • No registered users viewing this page.