No announcement yet.

Problem with security breach..

  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with security breach..

    OK, this will sound pretty complicated, and probably might not make sense, but here goes...

    On my board, I have three private room, accessible only to those who I have invited and edited their access masks so they can enter. For a while, everything seemed to be working fine.

    But now, a couple people have found a way around it. they have informed me, and I have confirmed it...they cannot pst in these private rooms, but they can still see the posts in there.

    Here's there workaround.

    on the home page, there's a link that says "currently active users" that you click, and it shows you which forum everyone is browsing. Well, if someone is browsing the super-secret rooms, a guest, or a member not invited, can click on that link there, and gain access to look around.

    I hope I explained that clearly. If I did not, please let me know so I can give it another shot.

    Anyway, for those of you who understood me, how do I plug up this hole, and keep my private rooms private?

  • #2
    You are right that threads in private forums will show up in Whos' Online. This is a bug that will be fixed in vB3. However there are no confirmed reports that this gives anyone access to to read those threads. If your permissions are set correctly they will only get the 'No permission' screen when they click on those links.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography

    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    • #3
      They can see the thread titles if the forums are sub-forums and they are inhereting their private status from a parent forum. They still can't get into the forum by clicking on the link. Set each forum to private instead of allowing to inherit from a parent and they will not see the thread titles anymore.


      • #4
        thanks guys. you are awesome with the speed of your replies...

        anyway, i have confirmed that all the forum permissions and acces masks are right where they should be. i will look into this further and report back what I find out. I think I am right about uninvited guests being able to browse, but will research this more to get confirmation before I push that issue.


        • #5
          If guests can browse than your permissions are allowing them to. There is nothing magic about following a link to a private forum that will allow a guest into it. As I said, if your forums are inheriting their private permissions from a parent forum than the titles will be visible on Who's Online until you set each forum as private rather than relying on inheritance to do it.


          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.