Snitz Forums 2000

Snitz Forums 2000

Snitz Forums 2000

Home | Profile | Register | Active Topics | Members | Search | FAQ

All Forums

Snitz Forums 2000 DEV-Group

DEV Discussions (General)

Admin_info security?

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:

UserName:

Password:

Format Mode:

Format:

Message:

* HTML is OFF
* Forum Code is ON

Smilies

Check here to include your profile signature.

T O P I C R E V I E W
modifichicci	Posted - 09 January 2008 : 14:53:49 I have noticed that admin_info is accessible to all admin, not only main forum admin (id 1). In that function is shown id and pass of mysql db, I think that could be reserved to forum admin only, looking to last hackering.. (ok fix stopped them, but if another bug comes out and someone can loggin as admin can access db and that is not a good thing, doesn't it?) What do you think about? <
6 L A T E S T R E P L I E S (Newest First)
Carefree	Posted - 31 October 2008 : 01:21:31 For Access database users (and possibly others), we need to add another variable (in red): if MemberID <> IntAdminMemberID and (item.name = "UserName" or left(item.name,11)="Data Source" or item.name = "Password" or item.name = "Extended Properties" or item.name = "Current Catalog" or item.name = "Server Name") then This eliminates both the "data source" and the "data source name" variables which both reported the path and database names.<
modifichicci	Posted - 10 January 2008 : 14:19:53 A quick fix to admin_info.asp change lines 95 if item.value = "" then to if (item.name = "User Name" or item.name = "Password" or item.name = "Extended Properties" or item.name = "Current Catalog" or item.name = "Server Name") and MemberID <> intAdminMemberID then Response.Write "Not allowed" elseif item.value = "" then these lines cut the db name, password and location of mysql server for users not admin forum. This works for mysql db, not tested on access.. If there are others values to be hidden it's sufficient to add variable to the if statement.. Just a quick look at it and a simple suggestion..<
davemaxwell	Posted - 10 January 2008 : 13:28:09 quote: Originally posted by Image That is exactly the answerer I am waiting for Do you thing this fix is not out of context? http://forum.snitz.com/forum/topic.asp?TOPIC_ID=63022 Image, Did you see the post that Davio made after you in that thread? He posted the names of the files that needed changed (though in this case the page would be admin_info.asp), the line numbers in the baseline version, and the code being changed. He showed the original, then showed what he changed with highlights. This makes it much easier for someone to come in and incorporate bug fixes into the baseline version. That's the point Huw is trying to make. We appreciate the fact that you're taking the time and trying to help, but if you could please take a few extra minutes and show a before and after to your code changes, it makes it easier on someone trying to incorporate them into baseline versions. quote: Originally posted by Image I am waiting the new version.07 to send you 2 new Bugs with that fix. If you've got known bugs, then please either post them now, or at the very least get in touch directly with Davio so that they can be corrected before the version is released. I don't mean to be rude, but why in the world would you want to wait and add bugs to a version that hasn't been released yet? It makes much more sense to tag them before it's released.<
HuwR	Posted - 10 January 2008 : 01:56:40 useful piece of totally out of context code, thanks for that!!<
ruirib	Posted - 09 January 2008 : 17:13:49 Yeah, I agree. Probably something to add already for 3.4.07.<
HuwR	Posted - 09 January 2008 : 16:59:10 yes, probably a good idea<

Snitz Forums 2000

© 2000-2021 Snitz™ Communications

This page was generated in 0.05 seconds.

Powered By: Snitz Forums 2000 Version 3.4.07