No announcement yet.

Restricted Forums Security Exploit Help

  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Restricted Forums Security Exploit Help

    Okay, so here's the problem. On the forums that me and some other people manage, we have forum section for Staff Members only. These forums can only be viewed and posted in by users in a staff usergroup (Admin, Moderator, etc.). However, I just became awre of the fact that friends of staff member could also see what the staff members were posting in these restricted forums by going to their own profile and looking at their activity. Here's an example:

    Click image for larger version

Name:	Screen Shot 2013-01-20 at 10.04.39 PM.png
Views:	1
Size:	60.5 KB
ID:	3725398

    The user "Sate" would be able to see that the user "Dragons5439" posted in a restricted forum by going onto his own profile page. The forums we are using are currently running vBulletin 4.2 Patch Level 2. Does level 3 happen to resolve this issue?

  • #2
    Strange!, You face that problem with all members or this member only? what happens if user try to access the thread from the URL ?

    Former vBulletin Support Staff
    Need Help?, Or P.M. Me


    • #3
      Check that specific forum's permissions.

      What are they set to for Registered Users?
      Former vBulletin user


      • #4
        The activity stream follows all forum permissions, so you have your permissions set up wrongly for this to be happening.

        TalkNewsUK - My vBulletin 5.6.4 Demo
        AdminAmmo - My Cloud Demo


        • #5
          I'm almost positive the permissions are set up correctly, but I will check again.


          • #6
            That seems to be a problem with the permissions, checking them could solve this issue.
            No private support, only PM me when I ask for it. Support in the forums only.


            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.