First time here? Check out the FAQ!
Ask Your Question
0

How do unauthenticated users get onto our site?
 
   
  
 
 
We have a site that requires validation with an outside authentication service (a wiki/LDAP) but yet we see users with obvious bad names on our site and "posting" questions with nonsense in them.
 
It is apparent that there are others who use AskBot with similar issues. 

I have a few questions:
 
     
  • How did these users create accounts for themselves if they did not use our (what we thought was a) sinlge external authentication?
    •  
  • How can we stop this from happening?
    •  
  • How did these bots find the site?  (we don't publish it - it is a closed site)
    •  
 
EDIT
Note that I was able to reproduce the ability to sign in with nonsense accounts by navigating to
[mysite]/account/signup/?login_provider=local
there is no way to get there from a UI as far as I could tell, but the url works and allows a person to signup.
 
 
To enter a block of code:
 
     
  • enter empty line after your previous text
    •  
  • paste or type the code
    •  
  • select the code and press the  button above
    •  
 
Preview: (hide)
  
 
 
 
 
 
 tim's avatar

      51
    
 
 
 
 tim 
 
 
    asked 10 years ago,
        
    updated 10 years ago 
 
 
 
 
        
 
 
 
Comments
 
 
 
  see more comments  
 
 
 
 
 
 1 Answer
  
  
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
It could be that you have login methods available that bypass your LDAP or you have allowed making posts without registration.
 
Are you hosting this site on your own/organizations' server? Is anything customized on your instance?
 
 
To enter a block of code:
 
     
  • enter empty line after your previous text
    •  
  • paste or type the code
    •  
  • select the code and press the  button above
    •  
 
Preview: (hide)
  
 
 
 
 
 
 Evgeny's avatar

      13.2k
    
 
 
 
 Evgeny 
 
 
    answered 10 years ago 
 
 
 
 
     link   
 
 
 
Comments
 
 
 
 
  
 
 
 
The attempts apparently just came through the usual registration page.  Although it was not possible to get to that page through the UI, the url still worked.    We are hosting on our own server.  Users must be registered to see content/post.  We fixed this by using the domain whitelist for emails in order to register.
 
 
 tim's avatar tim (10 years ago)   
 
 
  
 
 
  
 
 
 
Which url was that?
 
 
 Evgeny's avatar Evgeny (10 years ago)   
 
 
  
 
 
  
 
 
 
.../account/signup/?login_provider=local
 
 
 tim's avatar tim (10 years ago)   
 
 
  
 
  see more comments