No announcement yet.

Security issue: private forums and search function

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security issue: private forums and search function


    We noticed there's is an serious security/privacy issue with Vbulletin 2.2.x regarding private forums. (I'm using the latest versiob 2.2.8)

    When you view someone's profile, you have the option to "Search for all posts by this user."
    By doing this, you get all posts (including a large preview of the message content) of the user.
    The output includes also threads posted in private forums, even if the user who is searching, has no access to these forums!
    Off course clicking the links to the treads will not work, but you still see the tread title and a preview of the message

    Lots of sensitive info can be retrieved by missusing this "feature"
    Disabling searching for the particular usergroup in that particular forum doesn't solve it.

    Awaiting a fix, I had no other option than disabling the search function for the all groups, except the moderators.


    Last edited by redcap; Mon 14th Oct '02, 1:30am.

  • #2
    I just tested this by posting in a private forum here, logging out, then using the Find All Posts link from my getinfo page. It did not show any of my private forum posts in the search results nor on my getinfo page - it showed my second-to-last post since my last post was in a private forum.

    In short I cannot reproduce this. Have you hacked any files?


    • #3
      This doesn't happen to me too.

      Are you sure? Do you have the Last Top 10 Searches hack installed? If so, there is a fix in that thread for that bug. Make sure you have set all private forums in "Permission" to "Not viewable" to all usergroups except staff as well.
      Avatar Chat


      • #4
        I made a new forum category and moved all admin forum into that category.
        Now I can't reproduce it anymore myself.
        I guess I must have overlooked something in the permission settings. But it's hard to figure out now what it was.

        Anyway, I'm deeply sorry to post this "flase alarm".
        Nevertheless thank you for the quick support.
        Gives me a good feeling.



        • #5
          soory but ...

          I tried out some things:

          seems the issue only occurs when using subforums, and the subforum uses it's own permissions.
          IOW when the parent forum is visible and I configure the subforum in such way that only this forum is invisible, tyhe problems occurs ...


          • #6
            Are you using inherited permissions? There are fundamental design flaws when inheriting permissions in vB2; you have to explicitly set each forum's rights.
            --filburt1, moderator
            Web Design vB Board of the Month
            vBulletin Mail System (vBMS): webmail for your forum users


            • #7
              Well, in my case it only works when using inherited permissions?
              Forget my previous post: "inherited permissions" is what I was reffering to


              • #8
                something similar to this was a problem in a previous version where users could see the searches of admin if the search string was the same, and the admin had done it first.

                It gave them the same searchid, try uploading a fresh copy of search.php from the zip file.
                Scott MacVicar

                My Blog | Twitter


                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.