Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 please review: security mod for Snitz 3.3.05
 New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 03 January 2003 :  11:00:23  Show Profile  Visit MarcelG's Homepage
Hi there,

here at work we use Snitz 3.3.05 within our Intranet site in a modified way as a simple content management system.
I experienced some strange behaviour where it comes to security.

For instance, a topic from a members only forum could be opened directly by a 'guest' without any problems.
Therefore I modified the code myself, as I couldn't find any suggestions around here.

I've now done the following, and I would like to hear from you guys (the experts), what you think of this. Maybe there are some things I completely overlooked.

BTW, we use NT security on both NTFS and the forum itself. However, we want to make a difference between 'open' topics and secure topics.

I did the following:
In config.asp :
added the following lines:

around line 90
dim strPrivateForumType

around line 300
strPrivateForumType = Application(strCookieURL & "strPrivateForumType")


In topic.asp
added the following lines:
line 127
strTablePrefix & "FORUM.F_PRIVATEFORUMS, " & _

line 155
PrivateForumType = rsTopic("F_PRIVATEFORUMS")


After the following (around line 175)
if strModeration > 0 and Cat_Moderation > 0 and
Forum_Moderation > 0 and AdminAllowed = 0 then
	        Moderation = "Y"
	else
	        Moderation = "N"
	end if

add the following:

if PrivateForumType = "4" or PrivateForumType = "2" then
	if mlev = 0 then
Response.write "<p align=center><font face='" 
& strDefaultFontFace & "' size='" & strDefaultFontSize & "'>
<br><b>This document is only accessible to registered members</b>
<br>You need to register in order to view this document.</font></p>" &_
"<table align=center border=0><tr><td>" &_
"<font face='" & strDefaultFontFace & "' size='" & strDefaultFontSize & "'>" &_
"</font></td></tr>" &_
"</table>" &_
"<p align=center><font face='" & strDefaultFontFace & "' size='" & strHeaderFontSize & "'>
<a href='JavaScript:history.go(-1)'>Go Back</a></font></p>"
Response.end
end if
end if


I think I should also include some of this code in other asp files, such as POST.ASP, FORUM.ASP, POST_INFO.ASP, but I am still working on that...

Oh yeah, btw, for those of you who say "upgrade to 3.4 so you won't have to do all of those things"; We cannot upgrade to 3.4 as long as 3.4 does not have a HTML/RTE editor....I know there are security riscs with the RTE, but we use it only in our intranet environment.

portfolio - linkshrinker - oxle - twitter

suhern
Junior Member

186 Posts

Posted - 03 January 2003 :  12:00:01  Show Profile
RTE is available on 3.4. Check out this post:

http://www.serverhacker.com/forum/topic.asp?TOPIC_ID=707
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 03 January 2003 :  13:20:19  Show Profile  Visit MarcelG's Homepage
tnx for the tip suhern. I will try and see what I can do with the new RTE.

portfolio - linkshrinker - oxle - twitter
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.16 seconds. Powered By: Snitz Forums 2000 Version 3.4.07