Announcement

Collapse
No announcement yet.

Major Duplicable Security Hole: Is This a Bug?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by JamesUS
    I will look at it when I get home today, but it is beginning to sound like it might be a hack problem. If someone can reproduce it on an unhacked board it would be useful though.

    I think it was the problem with personal access masks, when you find a user to change their profile, there was a thread about this before, and I also posted saying I have the same problem, but no one ever answered....

    Comment


    • #17
      Okay--I used a VERY smart program called Beyond Compare, which allows me to step through the exact differences between files. Using this, I was able to figure out all of the hacks I have installed:

      1. Send HTML e-mail to board members
      2. Expand/collapse forums
      3. Blink PM bar on forum home
      4. vbStats
      5. Show avatar on forum home
      6. Show number of threads since last login on forum home

      These things in member.php (it could be a change between v2.2.0 and v2.2.1):

      See attached text file in next post.

      That's all. I did notice that Contract posts changes almost all PHP files. Prohacker: do you have this hack installed?

      Your continue help is much appreciated. None of these hacks seem to have any impact whatsoever on moderator privileges.
      Last edited by jminiman; Mon 21st Jan '02, 1:22pm.

      Comment


      • #18
        Changes in members.php.

        Comment


        • #19
          I tried it on a forum with no hacks, and a forum with hacks, and produced the same effect.... Oh well, guess my mods got to see a few secrets

          Comment


          • #20
            I don't like this--I have several forums that have confidential information posted; perhaps I need to be looking for a more secure forums system?

            Comment


            • #21
              What changes have you made to admin/forum.php ?

              John
              John Percival

              Artificial intelligence usually beats real stupidity ;)

              Comment


              • #22
                Changes to admin/forum.php

                1. (start line 126)
                // expand collapse hack
                maketableheader("Display Setting");
                makeyesnocode("Collapse Children","collapsed",0);
                // end expand collapse hack


                2. Changed line 140 to: styleoverride,allowratings,countposts,moderateattach,collapsed)

                3. Changed line 145 to:
                '$styleoverride','$allowratings','$countposts','$moderateattach','$collapsed')");

                4. Added starting line 230:
                // expand collapse hack
                maketableheader("Display Setting");
                makeyesnocode("Collapse Children","collapsed",$forum[collapsed]);
                // end expand collapse hack

                5. Changed line 168 to:
                moderateattach='$moderateattach', collapsed='$collapsed'

                Every one of these changes is a result of the collapse hack.

                Comment


                • #23
                  In functions.php, I have this starting at line 293:

                  if ($post[usergroupid]==6 OR $post[usergroupid]==5) {
                  $post[message]=bbcodeparse2($post[pagetext],1,1,1,1);
                  } else {
                  $post[message]=bbcodeparse($post[pagetext],$forum[forumid],$post[allowsmilie]);
                  }

                  Comment


                  • #24
                    Well, all,

                    It wasn't the most elegant solution, but by brute force, I delete all entries from the "access" table. Every last entry was bull crud and should never have been there. Killing all of those entries brought each mod's private forum access back to default (which for most private forums is no access). I checked several users, and much as I expected, their permissions were all set back to default for the private forums. The BIG QUESTION:

                    Will it stay like this or will I have to periodically clear out the access table?

                    Comment


                    • #25
                      Prohacker tested this out on a clean forum, and reported the problem is still in effect.

                      Comment


                      • #26
                        I would imagine it'll get moved to bugs as soon as a mod runs the same test, and we'll see a fix shortly. Or will they conveniently blame it on the hacks?
                        Toddler from Hell

                        Comment


                        • #27
                          FWIW, this does not happen on either of my essentially non-hacked boards.
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography


                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          Comment


                          • #28
                            I'm going to do another fresh install on a server tonight, just had it rebuilt after an intrusion, so it'll be a good test.......

                            Comment


                            • #29
                              Originally posted by Fusion
                              Or will they conveniently blame it on the hacks?
                              That was uncalled for...

                              Comment


                              • #30
                                Originally posted by tubedogg
                                That was uncalled for...
                                Oh, come now, you saw the smilie..
                                Toddler from Hell

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X