Snitz Forums 2000 - V33(.03) BUG+FIX: Security in post.asp

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Snitz Forums 2000 DEV-Group

DEV Bug Reports (Closed)

V33(.03) BUG+FIX: Security in post.asp

Forum Locked

Topic Locked

Printer Friendly

Author

Topic

soopergoober
Starting Member

3 Posts

Posted - 13 November 2001 : 00:43:05

I'm using version 3.3 on my website, and I found an interesting bug/hack that lets you read posts that are in locked sections of the forum.

The easiest way to duplicate this bug is to log in to a locked section of the board and initiate a reply to a post. Copy the URL of the page you get, and then logout. If you paste the copied URL into your web browser (even being logged out!) you will be able to read the messages in that section of the board. After that, you need only edit the URL to read messages in any section of the site.

I'm currently investigating a way to fix this bug/feature, but I thought I'd post a message here and see if this was a know bug, and if there was a fix for it already.

Da_Stimulator
DEV Team Forum Moderator

USA
3373 Posts

Posted - 13 November 2001 : 01:00:35

I just tested this, and it is a bug.

----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource

RichardKinser
Snitz Forums Admin

USA
16655 Posts

Posted - 13 November 2001 : 01:05:08

ok, on line #162 of post.asp insert this:

	if not(chkForumAccess(strRqForumID,MemberID)) then
		Go_Result "You do not have access to post to this forum"
	end if

This is right below the following:

	select case strRqMethod
		case "Topic"
			if (blnCStatus = 0) and (AdminAllowed = 0) then
				Go_Result "You have attempted to post a New Topic to a Locked Category"
			end if
			if (blnFStatus = 0) and (AdminAllowed = 0) then
				Go_Result "You have attempted to post a New Topic to a Locked Forum"
			end if
		case "EditTopic"
			if ((blnCStatus = 0) or (blnFStatus = 0) or (blnTStatus = 0)) and (AdminAllowed = 0) then
				Go_Result "You have attempted to edit a Locked Topic"
			end if
		case "Reply", "ReplyQuote", "TopicQuote"
			if ((blnCStatus = 0) or (blnFStatus = 0) or (blnTStatus = 0)) and (AdminAllowed = 0) then
				Go_Result "You have attempted to Reply to a Locked Topic"
			end if
		case "Edit"
			if ((blnCStatus = 0) or (blnFStatus = 0) or (blnTStatus = 0)) and (AdminAllowed = 0) then
				Go_Result "You have attempted to Edit a Reply to a Locked Topic"
			end if
	end select

Da_Stimulator
DEV Team Forum Moderator

USA
3373 Posts

Posted - 13 November 2001 : 01:17:58

has been fixed for 3.4

----
-Eric (da_stimulator)
Stims Snitz Test area - Running 3.3.03, 4 beta, Huw's code, and Davio's code
Need a Mod? Check out the Mod Resource

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 13 November 2001 : 03:08:09

This has to be the fastest bug fix I have ever seen.
34 minutes and it's fixed and put in the next version?
Which other forum support can do that?

- David

Deleted
deleted

4116 Posts

Posted - 01 December 2001 : 12:51:03

Hmmm. I'm a bit late by I go step by step... My version of it reads:


	if not(chkForumAccess(strRqForumID,MemberID)) then
		Go_Result fLang(strLangPost00075)
	end if

and the following and translations are added to the LangNNNN.asp files in the correct place (alphabetic order):


strLangPost00075 = "You do not have access to post to this forum"     '"You do not have access to post to this forum"

Fixed in [v40b03patch001]...

Think Pink
Test Site not ready yet | Post v40b03 Patches

Topic

Forum Locked

Topic Locked

Printer Friendly

Jump To:

Snitz Forums 2000

This page was generated in 0.15 seconds.