Announcement

Collapse
No announcement yet.

Possible security issue

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Possible security issue

    Whilst viewing 'who's online' one of my moderators noticed a registered member viewing one of the private forums. I've looked into and found that it is possibe for people to be able to view posts in forums they don't have access to. If the 'last post' link in a mods profile is to a post in a private forum then anyone clicking that link can view the post even though they shouldn't have access to it. I'm running 2.2.1 with only a couple of minor hacks.

  • #2
    Make sure the setting "Can View Threads" in the access masks is turned off.
    Email: [email protected]
    Site: Under Construction

    Comment


    • #3
      If you have "Can View Threads" turned on under
      Usergroups > Modify Forums > forum name > Registered
      they will be able to view threads regardless of whether they can view the forum. Also make sure you have Access Masks turned on - vBulletin Options > User & Registration Options > Enable Access Masks.

      Comment


      • #4
        I am having the same problem - registered users can view a private forum by clicking on the link to the last post in the forum.

        I have a main forum on the index page that is viewable by all, then inside that there is a forum for only certain members. Within that forum there is another private forum that is only viewable to its moderators. But if one of those moderators has posted, it therefore shows as the last post on the index page, and any registered member with access to the first private forum can then view the post in the second, moderator-only forum.

        My board is running 2.30

        I have access masks enabled, hide private forums set to yes, each usergroup's permission for the mods only forum is set to custom and 'no' for each choice. The forum is also set to private in its set up.

        Any help would be greatly appreciated
        Last edited by Sadie Frost; Sun 30 Nov '03, 8:09pm.

        Comment


        • #5
          Edit: Never mind.

          I can guarantee that if you have your permissions set correctly and the forum is not hacked, users will not be able to see any forums they don't have permission to see.

          If you have not installed any hacks, fill out a support ticket at:

          http://www.vbulletin.com/members/support_form.php

          Be sure to include the login info to your Admin CP, phpMyAdmin and FTP. If you have installed hacks, then remove the hacks first then check and see if you still have this problem. If so, leave the default vB files in place and fill out the support request.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment


          • #6
            P.S. You responded to a thread that was 2 years old. You should have started a new thread instead.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment


            • #7
              Just trying to not start threads whose topics already exist

              Comment


              • #8
                No, it would be much better to start a new thread on your problem rather than to piggyback off of someone elses's - particularly when that thread is 2 years old.
                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                Steve Machol Photography


                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                Comment

                Loading...
                Working...
                X