Linkbacks

[trux]

The kickbacks, err.. the linkbacks are quite a useful and interesting feature, allowing to find related forums and articles, and I look at them frequently (down in the thread under the posts). However, the implementation here in DB (and possibly generally) has the problem that instead of recording only accesses from unique domains, it registers every single URL. The problem is that when someone posts a link back to DB in their forum, the access URL of each member often differs, for example just by the session ID argument. The linkback section is then cluttered with dozens of identical links, which is pretty annoying and also unnecessarily slows down the page loading (and the DB server). You can see it for example in the recent SWB thread with about 50 linkbacks, practically all coming from the same post at freediving Finland.

Besides the flooding of the linkback section, it is also a very serious security issue, because session ID's of dozens of users from other forums are being exposed publicly. If someone with malicious intentions would like to abuse it, he could easily break into their accounts, and steal or abuse their identities. That's a serious issue a could even lead to legal problems.

All what is needed to do is adding a single command into the part which is looking up and storing the linkbacks, trimming them at the question mark, so that instead of

HTML Code:

http://www.freedivingfinland.net/smf/index.php?PHPSESSID=6ec1987afa5452c45aa5ae376ea43270&topic=527.msg3087;topicseen

only

HTML Code:

http://www.freedivingfinland.net/smf/index.php

is being stored. Well, at known URL formats from common sotware applications, the article or page argument could be kept, filtering out only variables like the session ID - that would allow a more precise linkback.

If you cannot fix it quickly yourself, it is definitely something that should be brought to the attention of the author of the module. Though, I believe that they already certainly heard about it, and very likely have fixed it in their current version - I cannot imagine it could be let in this way by any reasonable programmer.