| Author |
 Topic  |
|
|
KJD
Starting Member
5 Posts |
 Posted - 29 December 2004 : 18:59:39
|
| I'm not sure where to post this, but I found a pretty serious bug. It doesn't compromise security, but it can be quite a pain to deal with. We created a hidden forum, but some of our users discovered they could access it using the Jump To menu on the bottom of the page when you visit a forum. This was only selective to some of our users, and not all. We are not sure what caused it, but it is definitely a major concern. If someone could look into this, it'd be greatly appreciated. |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 29 December 2004 : 19:03:22
|
What version of the forum are you using?
Are you saying they saw the hidden forum listed in the Jump To menu and accessed it from there? |
Support Snitz Forums
|
 |
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 29 December 2004 : 19:12:35
|
| Gonna need a lot more information than what you provided. |
|
|
|
KJD
Starting Member
5 Posts |
Posted - 29 December 2004 : 19:45:30
|
| Yes, some members were able to access the hidden board by using the Jump To Menu. I'm not sure what versioin, the board was installed very recently, about a week or two ago, so I'm assuming it's the most recent version of the board. I created a test account to test the claim, and I was unable to see it. But the user who found it has ( ) in their name, like Bob (Smith). This is normally not allowed, but I made his username that way since he was complaining about how he used to be able to have his name that way on the old message board we had. So I tried to login with his username, and surprisingly, I could suddenly see the board in the Jump To menu. After logging out and logging back in with my test account, I could STILL see it. I thought perhaps something was related to a cookie, I wasn't sure. So I tried it again, this time using IE instead of firefox, and I couldn't find it using the test account. I again tried using his account, and sure enough, it worked. Our theory was that having a modified account somehow gave you access, but then another user was able to find it. So now we don't know what to think. |
|
|
|
Da_Stimulator
DEV Team Forum Moderator
USA
3373 Posts |
Posted - 29 December 2004 : 20:05:16
|
if you hover your mouse over the snitz copyright link, it will tell you what version of the forums is being used.
As to the problem, by the sounds of it this is indeed most likely caused by the ( ), because when used in an SQL query, they can alter it, they're not allowed. That is standard for that reason... if its altered to be in there its not a bug. |
-Stim |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 29 December 2004 : 20:17:59
|
| We do not allow those characters () to be in the username. Users cannot register with those characters. We did that for security measures. If you went ahead and modified the database to include those characters in the username of a member, then you have compromised the security of your own forum. |
Support Snitz Forums
|
|
|
|
KJD
Starting Member
5 Posts |
Posted - 29 December 2004 : 21:14:16
|
| Ok, so changing it back should hopefully solve that problem, I'm assuming. |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 29 December 2004 : 21:36:52
|
I haven't been able to reproduce this, which Auth Type are you using?
All Visitors
Members Only
Members Only (Hidden)
Password Protected
Members Only & Password Protected
Allowed Member List & Password Protected
Allowed Member List
Allowed Member List (Hidden) |
|
|
|
KJD
Starting Member
5 Posts |
Posted - 29 December 2004 : 23:14:12
|
Allowed Member List (Hidden)
The user account that was created is Steve (Regis) |
Edited by - KJD on 29 December 2004 23:14:37 |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 29 December 2004 : 23:37:25
|
| Couldn't recreate it either. You haven't mentioned what version of the forums you are using. |
Support Snitz Forums
|
Edited by - Davio on 29 December 2004 23:37:42 |
|
|
|
KJD
Starting Member
5 Posts |
Posted - 30 December 2004 : 07:18:41
|
| 3.4.03, I wonder if it's a admin setting. I remember I changed the type of cookies... from something to website. That fixed it, but then no one could log out. So I switched it back, and since, no one can get into that board. So I'm not sure, it was some sort of fluke, I haven't been able to recreate it. It worked with two different hidden boards that were open at different times, btw. |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 30 December 2004 : 12:20:45
|
If you change the location of the cookies from forum to website, when your forum is active, your members will need to clear out thier cookies, before they will able to log back in. Otherwise the forum will be reading the old cookie.
Also the latest version is 3.4.05. We advise that you upgrade. If not, apply the security fixes in the Security forum for your forum version. |
Support Snitz Forums
|
|
|
| |
Topic |
|
Topic Locked
