First time here? Check out the FAQ!
0

How do unauthenticated users get onto our site?

We have a site that requires validation with an outside authentication service (a wiki/LDAP) but yet we see users with obvious bad names on our site and "posting" questions with nonsense in them.

It is apparent that there are others who use AskBot with similar issues.
I have a few questions:

  • How did these users create accounts for themselves if they did not use our (what we thought was a) sinlge external authentication?

  • How can we stop this from happening?

  • How did these bots find the site? (we don't publish it - it is a closed site)

EDIT Note that I was able to reproduce the ability to sign in with nonsense accounts by navigating to [mysite]/account/signup/?login_provider=local there is no way to get there from a UI as far as I could tell, but the url works and allows a person to signup.

tim's avatar
51
tim
asked 2014-12-13 19:15:56 -0600, updated 2014-12-21 21:04:10 -0600
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

It could be that you have login methods available that bypass your LDAP or you have allowed making posts without registration.

Are you hosting this site on your own/organizations' server? Is anything customized on your instance?

Evgeny's avatar
13.2k
Evgeny
answered 2014-12-19 03:13:27 -0600
edit flag offensive 0 remove flag delete link

Comments

The attempts apparently just came through the usual registration page. Although it was not possible to get to that page through the UI, the url still worked. We are hosting on our own server. Users must be registered to see content/post. We fixed this by using the domain whitelist for emails in order to register.

tim's avatar tim (2014-12-21 12:59:45 -0600) edit

Which url was that?

Evgeny's avatar Evgeny (2014-12-21 13:52:36 -0600) edit

.../account/signup/?login_provider=local

tim's avatar tim (2014-12-21 21:02:57 -0600) edit
add a comment see more comments