Announcement

Collapse
No announcement yet.

Security Problem: Mass Move

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
    Xenon
    Senior Member

  • Xenon
    replied
    thx Scott

    Leave a comment:

  • Scott MacVicar
    Former vBulletin Developer

  • Scott MacVicar
    replied
    Stefan, i converted the forum selector to once single function for selecting the forums and I'll try to resolve it at a later date.

    Leave a comment:

  • Steve Machol
    Former Customer Support Manager

  • Steve Machol
    replied
    Super Mods are Admin without access to the Admin CP (unless you give it.) Therefore they will be able to do anything an Admin can do. This is not a bug as much as a design issue.

    Leave a comment:

  • Xenon
    Senior Member

  • Xenon
    replied
    another bumping

    maybe a mod can move this thread into vb3 section, as the bug appears there also

    Leave a comment:

  • Xenon
    Senior Member

  • Xenon
    replied
    *bumping*

    well i see the same bug is in vb3, also.
    and it's really a bug as supermods shouldn't be able to see the threadtitles of threads which they can't see normally.....

    so please fix it in the next vb2 release and more important fix it in the vb3 next beta

    Leave a comment:

  • Xenon
    Senior Member

  • Xenon
    replied
    true, but i think this shouldn't be right?
    also supermod rights should just work on forums which they have access to.

    as said i trust my mods, but at least for vb3 (don't know if it's the same here ) it should be "fixed"

    Leave a comment:

  • Scott MacVicar
    Former vBulletin Developer

  • Scott MacVicar
    replied
    the problem will exist for super mods since they have the ability to moderate all forums even if there accessmask doesn't have permission to see it.

    Leave a comment:

  • Xenon
    Senior Member

  • Xenon
    replied
    have ya tested it?

    i don't know if the problem is for normal mods, but for supermods i tested it.. (maybe i should use an unhacked vb230 RC3 to retest it )

    Leave a comment:

  • Scott MacVicar
    Former vBulletin Developer

  • Scott MacVicar
    replied
    the mass move function should only show forums for which a user has permission.

    I'll have to install vB2 to test this though.

    Leave a comment:

  • Guest
    Guest

  • Brian Briscoe
    Guest replied
    Very true you have a point, the vB Developers will have to reply to this to see if its been fixed in vB 3.0.

    Cheers Xenon! Sorry I couldnt help.

    Leave a comment:

  • Xenon
    Senior Member

  • Xenon
    replied
    unfortunately there are times when problems can occur and mods know they will go, so they read some of your privates threads before and things like.

    i myself trust my mods, but why are they able to do so?
    As stated in my sig, vigilance is better than seeing admin posts in public

    edit: it is a bug if you have to hack a board to deBUG it

    Leave a comment:

  • Guest
    Guest

  • Brian Briscoe
    Guest replied
    Like this has been said already You must trust your Smods/Mods to not do this, otherwise why would you have them as your mods. And it is not a bug, you can easily hack your board to make it so they cannot do this.
    Originally posted by Xenon
    Well i've searched and didn't found a thread about, which confuses me, because it's a somehow obvious bug.

    Scenario: You have a forum, which is just viewable to Admin, and you have a supermod or another mod who can massmove threads.

    This mod/SM can just go into the Mod CP and MassMove all/single threads out of the Adminforum into a forum which he can read.

    Of course, normally you should trust your supermods but i think it's a bug so i post it here

    Leave a comment:

  • Xenon
    Senior Member

  • Xenon
    started a topic Security Problem: Mass Move

    Security Problem: Mass Move

    Well i've searched and didn't found a thread about, which confuses me, because it's a somehow obvious bug.

    Scenario: You have a forum, which is just viewable to Admin, and you have a supermod or another mod who can massmove threads.

    This mod/SM can just go into the Mod CP and MassMove all/single threads out of the Adminforum into a forum which he can read.

    Of course, normally you should trust your supermods but i think it's a bug so i post it here
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X