Announcement

Collapse
No announcement yet.

Security Problem: Mass Move

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Problem: Mass Move

    Well i've searched and didn't found a thread about, which confuses me, because it's a somehow obvious bug.

    Scenario: You have a forum, which is just viewable to Admin, and you have a supermod or another mod who can massmove threads.

    This mod/SM can just go into the Mod CP and MassMove all/single threads out of the Adminforum into a forum which he can read.

    Of course, normally you should trust your supermods but i think it's a bug so i post it here
    The price of freedom is eternal vigilance!
    - Thomas Jefferson

  • #2
    Like this has been said already You must trust your Smods/Mods to not do this, otherwise why would you have them as your mods. And it is not a bug, you can easily hack your board to make it so they cannot do this.
    Originally posted by Xenon
    Well i've searched and didn't found a thread about, which confuses me, because it's a somehow obvious bug.

    Scenario: You have a forum, which is just viewable to Admin, and you have a supermod or another mod who can massmove threads.

    This mod/SM can just go into the Mod CP and MassMove all/single threads out of the Adminforum into a forum which he can read.

    Of course, normally you should trust your supermods but i think it's a bug so i post it here

    Comment


    • #3
      unfortunately there are times when problems can occur and mods know they will go, so they read some of your privates threads before and things like.

      i myself trust my mods, but why are they able to do so?
      As stated in my sig, vigilance is better than seeing admin posts in public

      edit: it is a bug if you have to hack a board to deBUG it
      The price of freedom is eternal vigilance!
      - Thomas Jefferson

      Comment


      • #4
        Very true you have a point, the vB Developers will have to reply to this to see if its been fixed in vB 3.0.

        Cheers Xenon! Sorry I couldnt help.

        Comment


        • #5
          the mass move function should only show forums for which a user has permission.

          I'll have to install vB2 to test this though.
          Scott MacVicar

          My Blog | Twitter

          Comment


          • #6
            have ya tested it?

            i don't know if the problem is for normal mods, but for supermods i tested it.. (maybe i should use an unhacked vb230 RC3 to retest it )
            The price of freedom is eternal vigilance!
            - Thomas Jefferson

            Comment


            • #7
              the problem will exist for super mods since they have the ability to moderate all forums even if there accessmask doesn't have permission to see it.
              Scott MacVicar

              My Blog | Twitter

              Comment


              • #8
                true, but i think this shouldn't be right?
                also supermod rights should just work on forums which they have access to.

                as said i trust my mods, but at least for vb3 (don't know if it's the same here ) it should be "fixed"
                The price of freedom is eternal vigilance!
                - Thomas Jefferson

                Comment


                • #9
                  *bumping*

                  well i see the same bug is in vb3, also.
                  and it's really a bug as supermods shouldn't be able to see the threadtitles of threads which they can't see normally.....

                  so please fix it in the next vb2 release and more important fix it in the vb3 next beta
                  The price of freedom is eternal vigilance!
                  - Thomas Jefferson

                  Comment


                  • #10
                    another bumping

                    maybe a mod can move this thread into vb3 section, as the bug appears there also
                    The price of freedom is eternal vigilance!
                    - Thomas Jefferson

                    Comment


                    • #11
                      Super Mods are Admin without access to the Admin CP (unless you give it.) Therefore they will be able to do anything an Admin can do. This is not a bug as much as a design issue.
                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography


                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      Comment


                      • #12
                        Stefan, i converted the forum selector to once single function for selecting the forums and I'll try to resolve it at a later date.
                        Scott MacVicar

                        My Blog | Twitter

                        Comment


                        • #13
                          thx Scott
                          The price of freedom is eternal vigilance!
                          - Thomas Jefferson

                          Comment

                          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                          Working...
                          X