| Author |
 Topic  |
|
weeweeslap
Senior Member
USA
1077 Posts |
 Posted - 27 March 2006 : 16:28:49
|
ok, a member of mine pointed out that he can read the titles of topics that are in forums that are allowed member list hidden and allowed member list not hidden meaning he can essetially read our admin topic titles which tend to give away what the body is about. He did this in the form of simply going to the search page and selecting a forum and as search criteria putting a period ( . ) and got of course all topics that contained a period. The forum in general is 3.4.03 but the search page is from 3.4.04, I tested this by simply logging out and attempting such and sure enough all forums were listed hidden and non hidden ones, chose a hidden one and typed a period and got the topics listing. I was thinking when populating the list of forums, should there not be a check for allowed to x forum and only display the forums that the user allowed to view? That way the users cannot see topic titles that are in private forums? Or is there something wrong in my search page, the one that I used from 3.4.05 zip package? Thanks! You can see my search page here:
www.weeweeslap.com/forum/search.asp
in the search forum drop down the following forums are not visible to the normal member just mods and admins yet show up in the list and in the results though the topic titles are the only thing readable they can give out some info that is not desired to be known: staff lounge, weblogs development, front page news, video links section, admins only, moved topics.
Thanks for your attention.
edit
the only modification done to this page is the editing of line 699 changed from
strSql = strSql & " WHERE M_STATUS = " & 1
to
strSql = strSql & " WHERE M_STATUS = " & 1 & " AND M_LASTPOSTDATE <> ''"
done so that only members that ahve posted are listed there. |
coaster crazy |
Edited by - weeweeslap on 27 March 2006 16:34:00 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
weeweeslap
Senior Member
USA
1077 Posts |
Posted - 27 March 2006 : 16:39:55
|
| I did notice the search forum here is different from the one I got in the zip the one here allows to type the username in while the one from the 3.4.05 zip I got still has the drop down list for members, let me dl another from another source and report back |
coaster crazy |
 |
|
|
weeweeslap
Senior Member
USA
1077 Posts |
Posted - 27 March 2006 : 16:45:47
|
| just tried 3 other sources and all the same result |
coaster crazy |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 27 March 2006 : 17:05:03
|
| You should try other forums. Just tried a couple and all works as expected. I believe the problem must be with your code. I will check how the allowed forums are checked in search.asp. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 27 March 2006 : 17:07:54
|
| I will agree with ruirib, there is something wrong with your forum weeweeslap, if you are logged out you should not see forums in the list that you do not have access to. |
|
|
|
weeweeslap
Senior Member
USA
1077 Posts |
Posted - 27 March 2006 : 17:38:44
|
| ok thanks, I don't understand why this is showing up like this. I am noticing odd behavior now on the forums ( all icon sizes have been fixated to a certain width ) so I must attend to that. Thanks for your help, I appreciate you checking how the allowed forums ae checked in search.asp ruirib. Thanks to both. |
coaster crazy |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 27 March 2006 : 17:59:53
|
This is the code in search.asp (3.4.05) that determines the allowed forums for a user. Goes from line#134 to #189. You should have something similar in your code. Compare it with thos
if strPrivateForums = "1" and mLev < 4 then
allAllowedForums = ""
allowSql = "SELECT FORUM_ID, F_SUBJECT, F_PRIVATEFORUMS, F_PASSWORD_NEW"
allowSql = allowSql & " FROM " & strTablePrefix & "FORUM"
allowSql = allowSql & " WHERE F_TYPE = 0"
allowSql = allowSql & " ORDER BY FORUM_ID"
set rsAllowed = Server.CreateObject("ADODB.Recordset")
rsAllowed.open allowSql, my_Conn, adOpenForwardOnly, adLockReadOnly, adCmdText
if rsAllowed.EOF then
recAllowedCount = ""
else
allAllowedData = rsAllowed.GetRows(adGetRowsRest)
recAllowedCount = UBound(allAllowedData,2)
end if
rsAllowed.close
set rsAllowed = nothing
if recAllowedCount <> "" then
fFORUM_ID = 0
fF_SUBJECT = 1
fF_PRIVATEFORUMS = 2
fF_PASSWORD_NEW = 3
for RowCount = 0 to recAllowedCount
Forum_ID = allAllowedData(fFORUM_ID,RowCount)
Forum_Subject = allAllowedData(fF_SUBJECT,RowCount)
Forum_PrivateForums = allAllowedData(fF_PRIVATEFORUMS,RowCount)
Forum_FPasswordNew = allAllowedData(fF_PASSWORD_NEW,RowCount)
if mLev = 4 then
ModerateAllowed = "Y"
elseif mLev = 3 and ModOfForums <> "" then
if (strAuthType = "nt") then
if (chkForumModerator(Forum_ID, Session(strCookieURL & "username")) = "1") then ModerateAllowed = "Y" else ModerateAllowed = "N"
else
if (instr("," & ModOfForums & "," ,"," & Forum_ID & ",") > 0) then ModerateAllowed = "Y" else ModerateAllowed = "N"
end if
else
ModerateAllowed = "N"
end if
if chkForumAccessNew(Forum_PrivateForums,Forum_FPasswordNew,Forum_Subject,Forum_ID,MemberID) = true then
if allAllowedForums = "" then
allAllowedForums = Forum_ID
else
allAllowedForums = allAllowedForums & "," & Forum_ID
end if
end if
next
end if
if allAllowedForums = "" then allAllowedForums = 0
end if
|
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
weeweeslap
Senior Member
USA
1077 Posts |
Posted - 27 March 2006 : 18:12:03
|
| exactly the same here on my search.asp page |
coaster crazy |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 27 March 2006 : 18:21:23
|
I would do a response.write of the allAllowedForums variable after the end of that code, for a normal user. The same code would produce the same results, which is not happening here.
You can also post a text version of your search.asp file. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
weeweeslap
Senior Member
USA
1077 Posts |
Posted - 27 March 2006 : 18:30:15
|
www.weeweeslap.com/forum/search.txt
here's the text version of it, thank you I don't know how to do the response.write thing :( |
coaster crazy |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 27 March 2006 : 19:17:50
|
You have a search log mod added. I don't know whether that is the cause for this. It may also be cause by changes to inc_func_secure.asp or inc_func_common.asp.
If you post a link to inc_func_secure.asp I'll have a look at it. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
weeweeslap
Senior Member
USA
1077 Posts |
Posted - 27 March 2006 : 19:35:18
|
actually I just added that mod after the problems were occuring since the user that notified me said he was searching for hidden forums and wanted to see what he was searching for. I have not edited inc_func_secure.asp, inc_func_common.asp some minor changed to inc_func_common.asp though, here both files in txt.
www.weeweeslap.com/forum/inc_func_secure.txt
www.weeweeslap.com/forum/inc_func_common.txt |
coaster crazy |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 27 March 2006 : 20:03:01
|
| In what file do you have a function called chkForumAccessNew. It is in inc_func_secure.asp in 3.4.05, but I don't know where it is located in 3.4.03. Please locate it. The problem may as well be that function. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
weeweeslap
Senior Member
USA
1077 Posts |
Posted - 27 March 2006 : 20:24:28
|
| I cannot find chkForumAccessNew, I have to go to work now so I will check it afterwards, I'll post a copy of the file if I find it, thanks. |
coaster crazy |
|
|
|
Topic |
|
Topic Locked
