Announcement

Collapse
No announcement yet.

Major Duplicable Security Hole: Is This a Bug?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Prohacker - can you let us know the exact steps you took to reproduce this problem?

    Thanks,
    John
    John Percival

    Artificial intelligence usually beats real stupidity ;)

    Comment


    • #32
      Of course...

      I'm installing another test forum now....... I'll make an exactly list after I'm done if I come up with the same error....

      Comment


      • #33
        Very strange....

        I installed a fresh copy of vB and added a few users, and had the same problem...


        But I checked my email and a few people had problems with accessing certain things in PHP and MySQL, so I recompile both, and the problem is gone....



        Not sure if the "hacker" that got in, screw up the programs, but totally possible......

        To the people that have the problems:

        What host do you use??


        There are several resellers on this box...

        Comment


        • #34
          what compile settings did you use for php, and how (if at all) does your php.ini differ from the default?
          i'll see if i can reproduce it tomorrow
          My open eyes see everything, and you see nothing. . .
          That forum

          Comment


          • #35
            ./configure --with-apxs=/usr/local/apache/bin/apxs --with-xml --with-swf=/usr/local/flash --with-gd=../gd-1.8.4 --with-jpeg-dir=/usr/local --with-imap=../imap-2001.BETA.SNAP-0107112053 --with-ming=../ming-0.1.1 --enable-magic-quotes --with-mysql --enable-safe-mode --enable-track-vars --with-ttf --enable-versioning --with-zlib --with-curl --with-Kerberos=/usr/kerberos --enable-ftp --with-png




            Standard PHP.ini, Cpanel 4 server, I know, the cpanel being installed can explain alot...

            Comment


            • #36
              May I ask... whatever happened with this security problem?

              Does it affect 2.2.5 ?

              Was a fix made for it? If so, where is it available?

              I haven't opened my board for members to start using, yet... so I don't know if I would have this problem... but I'm trying to cover all my bases ahead of time. Thanks!

              mishkan

              Comment


              • #37
                I had a problem about mods getting set access, but I've upgraded several times and no longer have the problem.. It could have just been a mysql fluke, I don't know.. But with 2.2.5 and 2.2.6 its just fine...

                Comment


                • #38
                  I can honestly say that this is not a "hack" problem. I had the same problem, and still do, and would really appreciate finding out how others corrected this. Here is the EXACT problem:

                  When you create a private forum, it automatically sets anyone in the moderators group's ACCESS MASKS to "YES" for that forum, and you have to MANUALLY set them back to default in order for the permissions to work correctly. This was happening on my forum before any hacks were installed, and still is, from versions 2.2.1 all the way to 2.2.5.

                  Did anyone figure out how to correct this yet?

                  Talon

                  Comment


                  • #39
                    Originally posted by Talon3DHQ
                    When you create a private forum, it automatically sets anyone in the moderators group's ACCESS MASKS to "YES" for that forum, and you have to MANUALLY set them back to default in order for the permissions to work correctly.
                    This has been the default behavior ever since I can remember.
                    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                    Change CKEditor Colors to Match Style (for 4.1.4 and above)

                    Steve Machol Photography


                    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment


                    • #40
                      Originally posted by smachol
                      This has been the default behavior ever since I can remember.
                      if that is the case, then no offense to Jelsoft, but it is just silly. Why should I have to go to the EACH AND EVERY moderator and MANUALLY set their forums acces to "DEFAULT" when I have already set the permissions to the forum in question to NOT allow ANY moderators in? The permissions should take care of that, but instead I have to set permission AND set access masks manually for just this one group. Why doesn't it do this for just Moderators, and not Super Moderators, or even Admins? Sorry, it really just doesn't make any sense to me.


                      Talon
                      Last edited by Talon3DHQ; Mon 24th Jun '02, 12:02pm.

                      Comment


                      • #41
                        I don't disagree. I do believe this is fixed in vB 3.0.
                        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                        Change CKEditor Colors to Match Style (for 4.1.4 and above)

                        Steve Machol Photography


                        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                        Comment


                        • #42
                          Originally posted by smachol
                          I don't disagree. I do believe this is fixed in vB 3.0.
                          ]

                          Ok, that is good to hear, but I suppose asking for it to be corrected in version 2.2.5 or .6 is too much? I guess I will have to try the "access table" thing mentioned ealier in this thread

                          Comment


                          • #43
                            Just remove / comment out this part in admin/forum.php:
                            PHP Code:
                                $mods=$DB_site->query("SELECT DISTINCT moderator.userid FROM moderator,user WHERE moderator.userid=user.userid AND user.usergroupid<>6 AND user.usergroupid<>5");
                                if (
                            $DB_site->num_rows($mods)) {
                                  while (
                            $mod=$DB_site->fetch_array($mods)) {
                                    
                            $accessto[] = $mod['userid'];
                                  }
                                  while ( list(
                            $key,$userid)=each($accessto) ) {
                                    
                            $DB_site->query("INSERT INTO access (userid,forumid,accessmask) VALUES ('$userid','$forumid',1)");
                                  }
                                } 
                            Mystics

                            Comment


                            • #44
                              Ok, thats great. Thanks alot. I will try this tonight when I get home from work.

                              Thanks!

                              Talon

                              Comment


                              • #45
                                I'm pretty sure this has not been changed in vB3.

                                There's a simple way to avoid this - don't set the forum to private, and change permissions for your other groups to not be able to view/post/etc. in it.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X