w3all Login Widget

Post a reply


This question is a means of preventing automated form submissions by spambots.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

If you wish to attach one or more files enter the details below.

Maximum filesize per attachment: 1 MiB.

Expand view Topic review: w3all Login Widget

Re: w3all Login Widget

by DjPorkchop73 » Sun Sep 13, 2020 9:41 pm

Interesting! I would love to have a look at it. Thanks for sharing! I will check it all out now.

Re: w3all Login Widget

by axew3 » Sun Sep 13, 2020 1:45 pm

Nice point. I will go to look into asap because so curious.

Out of the contest: you'll be the first, with phpBB programmers at phpbb.com to see the new (the first)
rotate attachments extension for phpBB!

https://github.com/axew3/phpBB-image-at ... s-rotation

I will be happy if you can test it then!

You may wish to know better how it works, so temporary, please check this post: https://www.phpbb.com/community/viewtop ... #p15591241

Here the video that show what it mean and the img cache issue, easy to be resolved, a secondary aspect that will be covered soon:
https://www.youtube.com/watch?v=gqyCTTQFGvI

w3all Login Widget

by DjPorkchop73 » Sun Sep 13, 2020 11:55 am

Good morning (my time and a great day to you!

I make a quick observation today that I notice to some may be alarming (??) But maybe not. Here is what I observe.

1. I install WordPress and then integrate phpBB3 with your wonderful plugin and then I embed using the iFrame.
2. I secure my website further by changing the name of my plugins folder due to many hackers gaining access through the plugins folder.
3. I make sure my Display name does not match my login name, however for integration purposes, email and usernames match for WordPress and phpBB3
4. I chose to disable regular access to the wordpress login methods such as /wp-admin/, /admin/, and /login/. This is possible via the WordPress Security suite that we used to secure our integration and wordpress as pointed out to do here https://www.axew3.com/w3/forum/?coding= ... BocD9mPTI=

Now here is what I observed when I disabled standard login access and changed the link to a "secret" link. Lets say I called my secret login link /pinkfloyd

If I choose to enable the w3all Login Widget and hover over the word "Login", It exposes my secret login Link. Now this is not really a big deal at all if one secures their WordPress as you have pointed out in the link that I shared in this post in point #4. And you even stated in the post not to go overboard and set to many settings in the security as it is not needed. I completely agree with you. But .... I must test anyhow because that is what I do. I test. :D

So if someone DOES care and they DO alter their login link, they can not ever use the w3all login widget under any circumstances ever or their "Secret" login link will be revealed to all. I do not believe this is a w3all issue at all. I firmly believe this is a WP Security issue that needs resolved ASAP. They are the ones who offer the "Secret Link" setting and it leaks the secret link if you use the login widget provided by WP as well.

As pointed out, this is not your plugins fault. I just wanted to point it out to you and make it known so maybe in your secure your install thread that I linked to, you can make a mention if you so desire. I feel as though some might see your widget give up the secret and blame you and in all reality, it is in fact not your plugins fault at all. It is WP Security fault. I call that a security leak.

Have a safe and wonderful day/evening and may you enjoy many wonderful cups of delicious coffee!

Top