Announcement

Collapse
No announcement yet.

Restricted Forums Security Exploit Help

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Restricted Forums Security Exploit Help

    Okay, so here's the problem. On the forums that me and some other people manage, we have forum section for Staff Members only. These forums can only be viewed and posted in by users in a staff usergroup (Admin, Moderator, etc.). However, I just became awre of the fact that friends of staff member could also see what the staff members were posting in these restricted forums by going to their own profile and looking at their activity. Here's an example:

    Click image for larger version

Name:	Screen Shot 2013-01-20 at 10.04.39 PM.png
Views:	1
Size:	60.5 KB
ID:	3725398

    The user "Sate" would be able to see that the user "Dragons5439" posted in a restricted forum by going onto his own profile page. The forums we are using are currently running vBulletin 4.2 Patch Level 2. Does level 3 happen to resolve this issue?

  • #2
    Strange!, You face that problem with all members or this member only? what happens if user try to access the thread from the URL ?

    Former vBulletin Support Staff
    Need Help?, Or P.M. Me

    Comment


    • #3
      Check that specific forum's permissions.

      What are they set to for Registered Users?
      Former vBulletin user

      Comment


      • #4
        The activity stream follows all forum permissions, so you have your permissions set up wrongly for this to be happening.
        MARK.B | vBULLETIN SUPPORT

        TalkNewsUK - My vBulletin 5.6.4 Demo
        AdminAmmo - My Cloud Demo

        Comment


        • #5
          I'm almost positive the permissions are set up correctly, but I will check again.

          Comment


          • #6
            That seems to be a problem with the permissions, checking them could solve this issue.
            No private support, only PM me when I ask for it. Support in the forums only.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...
            X