Announcement

Collapse
No announcement yet.

Bug Report - Modifying Announcements

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bug Report - Modifying Announcements

    Hello vBulletin staff,

    I couldn't find anywhere to reports bugs regarding to the vBulletin software, so I guess this is the best place to post it.
    While I was moderating a vBulletin 4.2.2 forum, I suddenly found a security hole in the Moderator Control Panel.

    You do only need to be section moderator of a vBulletin forum to be able to edit or force view announcements in any forum. I am, for example, only section moderator for one forum, Europe MapleStory, on GameKiller.net, but I was able to modify the Official Rules announcement that applied to All Forums by going to /modcp/announcement.php?do=edit&a=1. By just modifying the HTTP header, it's possible for a Moderator to edit or force view any announcement they don't have permission to view on the forums, as long as they have the ID of the announcement which they could obtain on the forums.

    Just wanted to make you attentive of this security vulnerability.
    Best regards, Martin Olofsson.

  • #2
    To get vB support on these forums you first need to be a licensed customer and register for Priority Forum Support. To do this, please go here:

    http://members.vbulletin.com/membersupport_priority.php

    ...and enter your email address in one of the boxes. You'll need to have your customer number and password to access the page.

    If you still have problems after doing this, send an email to support@vbulletin.com. Please include your user name, the email address you registered with and your customer number so we can fix the problem.

    We are aware of the issues with Announcements and recommend that site owners turn of HTML Announcements for moderators.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    I am not currently available for vB Messenger Chats.

    Comment


    • #3
      So normal moderators who find vulnerabilities won't be able to report about them?
      vBulletin should reconsider this. Not only site administrators may find critical bugs.

      Comment


      • #4
        Originally posted by maol3 View Post
        So normal moderators who find vulnerabilities won't be able to report about them? vBulletin should reconsider this. Not only site administrators may find critical bugs.
        Sorry, we can only provide support to customers, that isn't going to change. However your site owner can add you as an authorised person to receive support.
        MARK.B | vBULLETIN SUPPORT

        TalkNewsUK - My vBulletin 5.5.2 Demo
        AdminAmmo - My Cloud Demo

        Comment


        • #5
          Originally posted by maol3 View Post
          So normal moderators who find vulnerabilities won't be able to report about them?
          vBulletin should reconsider this. Not only site administrators may find critical bugs.
          We do appreciate you wanting to report bugs- we have a dedicated bug tracker that licensed customers do have access to- if your site Administrator adds your email address to the Priority Forum Support list in his Member's Area then you will be able to access the bug tracker and view or post proper reports.

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X