No announcement yet.

Security Flaw! Urgent help needed ...

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Flaw! Urgent help needed ...

    It just came to my attention that there is a security flaw (possibily, hopefully not and just error on my part) in vB 2.2.1:

    We have four main user groups (i.e. outside of COPA, Users Awaiting Confirmation etc.):
    - Registered
    - Authorized Personnel
    - BTDTs
    - Administrators

    Now, we have three private forums:
    - Authorized Personnel Only
    - Team Room
    - SOCNET Personnel Only

    Those in user group Authorized Personnel can access the Authorized Personnly Only forum.

    Those in the BTDTs user group can access both APO and the Team Room.

    Admins can access all three.

    But it just came to my attention that if a member in the BTDTs user group were to click on "members" in the top right corner, find an administrators name, click on the search function, they are permitted to preview the posts that appear in the SOCNET Personnel Only forum.

    I checked the permissions for the forum and made sure BTDTs couldn't view the forum nor search it yet I can still perform searches and come up with previews using a test screen name set to the user group BTDTs. And while I cannot access the private SPO forum, I clearly see it listed in the forums summary when I should just be seeing Authorized Personnly Only and Team Room.

    Please advise ...

  • #2
    have you enabled access masks in vB admin -> edit options ?
    :: Always Back Up Forum Database + Attachments BEFORE upgrading !
    :: Nginx SPDY SSL - World Flags Demo [video results]
    :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ blog summary ]


    • #3
      It wasn't enabled. I just enabled it, still doing the same thing. But I take it with it enabled now, in order to disallow everyone in the BTDTs user group, I'd have to make sure the 57 users (in the BTDTs user group) have no selected in Forum Access for the SOCNET Personnel Only board? If so, even this still seems like a flaw as it should work (or at least I would imagine it should) if I had custom permissions for each forum...?

      Standing by ...
      Last edited by Jeff Rambo; Thu 14 Feb '02, 12:19pm.


      • #4
        Anyone have anything else to add or was I correct with my last *assumption*?

        (Thanks by the way eva)


        • #5
          yes Im curious about this too.
          Anyone know?

          bump to the top.


          • #6
            1. Access masks are turned on.

            2. Set permissions for the Forum you don't want them to see to:

            Posting Options
            Private forum - SET TO YES
            (Invisible to all except moderators and admins; user access masks must be on!)

            3. Another control you have which gives you even greater control over every single user group you have on a user group by user group basis and forum by forum basis <wew>:

            Admin > Forums and Moderators > Permissions

            In the screen you see click each user group for a given forum and then:

            - Select radio button for Use custom settings:

            Can view forum - set this to No

            Click Save Changes Button

            THis should do it. You can hide a given forum from MOds. You can hide a given forum from not loged in and much much more using this granular and hard to understand technique.

            Test it with a test account set to the appropriate user group and not your Admin account.

            Last edited by Steve_S; Sat 23 Feb '02, 11:13pm.
            Have a great day :)


            • #7
              Neither of those tips never worked. Everything was already set as outlined above. Any clue?


              • #8
                Originally posted by Jeff Rambo
                Neither of those tips never worked. Everything was already set as outlined above. Any clue?
                This thread applies to 2.2.1, we're at 2.2.7 now.


                • #9
                  Is the problem corrected in the new version?


                  • #10
                    Originally posted by Jeff Rambo
                    Is the problem corrected in the new version?

                    I believe it was in 2.2.6


                    • #11


                      • #12
                        Make sure that if the Private Forums are children, that you manually set forum permission for EACH forum individually - if you just rely on the parent forum setup, it won't work. You need to set up each private forum's forum permission individually.
                        Avatar Chat


                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.