| Author |
 Topic  |
|
|
modifichicci
Average Member
Italy
787 Posts |
 Posted - 09 January 2008 : 14:53:49
|
I have noticed that admin_info is accessible to all admin, not only main forum admin (id 1).
In that function is shown id and pass of mysql db, I think that could be reserved to forum admin only, looking to last hackering.. (ok fix stopped them, but if another bug comes out and someone can loggin as admin can access db and that is not a good thing, doesn't it?)
What do you think about?
< |
Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 09 January 2008 : 16:59:10
|
| yes, probably a good idea< |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 10 January 2008 : 01:56:40
|
| useful piece of totally out of context code, thanks for that!!< |
|
|
|
davemaxwell
Access 2000 Support Moderator
USA
3020 Posts |
Posted - 10 January 2008 : 13:28:09
|
quote:
Originally posted by Image
That is exactly the answerer I am waiting for
Do you thing this fix is not out of context?
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=63022
Image,
Did you see the post that Davio made after you in that thread? He posted the names of the files that needed changed (though in this case the page would be admin_info.asp), the line numbers in the baseline version, and the code being changed. He showed the original, then showed what he changed with highlights. This makes it much easier for someone to come in and incorporate bug fixes into the baseline version.
That's the point Huw is trying to make. We appreciate the fact that you're taking the time and trying to help, but if you could please take a few extra minutes and show a before and after to your code changes, it makes it easier on someone trying to incorporate them into baseline versions.
quote:
Originally posted by Image
I am waiting the new version.07 to send you 2 new Bugs with that fix.
If you've got known bugs, then please either post them now, or at the very least get in touch directly with Davio so that they can be corrected before the version is released.
I don't mean to be rude, but why in the world would you want to wait and add bugs to a version that hasn't been released yet? It makes much more sense to tag them before it's released.< |
Dave Maxwell
Barbershop Harmony Freak |
|
|
|
modifichicci
Average Member
Italy
787 Posts |
Posted - 10 January 2008 : 14:19:53
|
A quick fix to admin_info.asp
change lines 95
if item.value = "" then
to
if (item.name = "User Name" or item.name = "Password" or item.name = "Extended Properties" or item.name = "Current Catalog" or item.name = "Server Name") and MemberID <> intAdminMemberID then
Response.Write "Not allowed"
elseif item.value = "" then
these lines cut the db name, password and location of mysql server for users not admin forum.
This works for mysql db, not tested on access..
If there are others values to be hidden it's sufficient to add variable to the if statement..
Just a quick look at it and a simple suggestion..< |
Ernia e Laparocele
Forum di Ernia e Laparocele
Acces - MySql Migration Tutorial
Adamantine forum |
Edited by - modifichicci on 10 January 2008 14:20:35 |
|
|
|
Carefree
Advanced Member
Philippines
4207 Posts |
Posted - 31 October 2008 : 01:21:31
|
For Access database users (and possibly others), we need to add another variable (in red):
This eliminates both the "data source" and the "data source name" variables which both reported the path and database names.< |
|
|
| |
Topic |
|
Admin_info security?
