No announcement yet.

Securityproblem: Mods can view hidden forum by knowing the forumid

  • Filter
  • Time
  • Show
Clear All
new posts

  • Securityproblem: Mods can view hidden forum by knowing the forumid


    In our forum we have set up two special forums, where only a small group of users can enter. Even the moderators should not be able to enter and also the super-moderators. But we have found out, that there is a securitybug. Moderators are not allowed to see the forum. This has been done throught the forum access masks and was a pain, as every moderator (we have over 50 of them) had to be edited manually. So they don't see the forum in the private-forums-area. But if they take their own URL for their forum:

    and change the ID to the one of the hidden forum, they can view the hidden forum. This is only for moderators and super-moderators. Normal users get a message "You are not allowed to see this page".

    Is this resolved in version 3?


  • #2
    There is no bug. It's just simply incorrectly configured permissions on your behalf.

    To fix go to yoru admincp. Press Forum Permissions on your nav bar. Then click edit next to *every* group you don't want access to your admin forum. On the page that loads, pick the lower radio button ("use custom settings" or something along those lines) and set NO to every question. Save, repeat for other usergroups.

    And guests can see the stuff from the link you posted above.


    • #3
      Well the forum-link I posted above is not the hidden forum. It was just an example

      What permissions have to be set in which order to not having that problem. Oh btw. The correct link would be:


      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.