Send private message

You must be logged in to send a private message.


No friends yet.


  • darb replied on the discussion topic Security Questions
    I AM NOT USING ANY 3rd PARTY ACCOUNT VALIDATION.   Problem is solved though; ELGG UNINSTALL. view reply
  • darb replied on the discussion topic Security Questions
    It is not email validation that they are bypassing, they are validating their own pending accounts waiting for administrator approval. http:blacklist blocked 7, six registered and 3 self validated in 24 hours. view reply
  • darb replied on the discussion topic Security Questions
    Thanks for the reply. The primary reason that I am reaching out for help is that just recently the bots/spammers/crawlers have found a way to validate their own accounts.  I have had about 4 cases, in the past 72 hours or so. So... view reply
  • darb added a new discussion topic Security Questions in the group General Discussion
    Hi, I am currently running 2.2.0 and was just wondering if my log entries from the link below are normal?   My site has been constantly under attack from the...
    • They r people who really don't know how elgg works .. The best Social Engine for free people don't know the value .. They should have gone through Dolphin CMS had there money drained & still never get support from any of the developer over there forget the support even if you have to use there forum to ask questions you need to be a premium member .. but in case of Elgg you get everything for free & PLUS you get support as well for free .. Elgg has gone through so many updates & i have never once faced the problem of Security or bypassing the validation.. I have found spammers validating & passing but never once found bypassing the validation. 

    • It's of course completely possible that some core bug allows self-validation. What we'd need to resolve that is to know the IP(s) logged of a user who did this and cross-reference those with httpd access logs to see exactly what HTTP requests were made. It's a lot of work. There's some easy stuff core could do to help:

    • Before taking it for granted that any "self"-validation has actually happened I would like to get some conclusive facts about what exactly is happening and what plugins (bundled and 3rd party plugin) are installed and enabled AND if any 3rd party plugins used are really for Elgg 2.x. I don't know if this will ever happen though with respect to the huffy reply on the suggestion that the accounts COULD be (NOT must be!) due to registering with 3rd party site credentials.

      What I find irritating is that the first post seems to connect the perfectly normal Elgg log entries with "my site is being attacked from day 1". So, no indication yet that there is any kind of self-validation yet.

      Next, the stats of the http:blacklist plugin are cited twice (as some kind of evidence that self-validation happens?). But the non-blocked registration count wouldn't give any indication that the registered accounts are fishy in any kind. Some might be (not yet reported before) but others might be perfectly alright. The counter also would refer to number of accounts registered and not number of accounts activated.

      What plugin is really used for account validation? As it was mentioned that "approval by admin" was intended I just assumed that the uservalidationbyadmin was used. But is this even true? Maybe the (wrong) assumption is that by NOT using the uservalidationbyemail plugin the accounts would require admin approval... instead of being automatically enabled! And even if the uservalidationbyadmin plugin is used it's still the question if it is used in the version compatible with Elgg 2 AND if the plugin is fully working on Elgg 2. But so far nobody else has reported any problems with uservalidationbyadmin. So, is it likely that self-validation of accounts happens isolated on one single Elgg site only?

  • darb joined the group General Discussion