BoardMod Mirror - Security Flaw in Morebcoptions

(UTC)

Choose Language:

BoardMod Mirror › Mod Support › Mod Bugs › Security Flaw in Morebcoptions

‹ Previous Topic | Next Topic ›

Page Index Toggle

Pages: 1

Normal Topic

Security Flaw in Morebcoptions (Read 1386 times)

AK108 God Member Offline Posts: 942 Joined: Oct 1^st, 2003 Gender:	Security Flaw in Morebcoptions Jan 12^th, 2004 at 3:11am	Print Post
	One of my admins has shown me a security flaw in my forum. When a user searches my recent posts, they can see my posts that are even in the admin board. I use the protection provided by morebcoptions. I even have a password set for it, but it still lets a normal user see the posts. I assume the search function has the same flaw, but I have not tried it. The obvious patch is for me to set the category restriction as I did before the mod was in place. The only problem with this is that I made it so that if it was protected by morebcoptions, it didn't matter if you were an admin. (I'm on a YaBB SP 1.3 with "mbc2_sp13.mod" along with quite a few other mods. If you need a list of what I've installed and changed, I can make one for you.) Edited: I managed to put a static fix by excluding some forums in this manner: (at about line 1329) Replacing this: Code unless ($settings[7] eq "Administrator") { my $cookiename = "$cookiepassword$curboard"; my $crypass = crypt($boardpw{$curboard},$pwseed); my $access = &AccessCheck($curboard, ''); if (($boardpw{$curboard} && $yyCookies{$cookiename} ne $crypass) \|\| ($access ne "granted")) { next; } With this: Code unless ($settings[7] eq "Administrator") { my $cookiename = "$cookiepassword$curboard"; my $crypass = crypt($boardpw{$curboard},$pwseed); my $access = &AccessCheck($curboard, ''); if (($boardpw{$curboard} && $yyCookies{$cookiename} ne $crypass) \|\| ($access ne "granted")) { $allowed = "no"; } if ($curboard eq "Mod\n") { $allowed = "no";} if ($curboard eq "admin\n") { $allowed = "no";} } #### unless($allowed eq "no") { #double negative And it'll be easy to get it to read from a file, and an interface to specify the boards will be easy, also.
	« Last Edit: Jan 12^th, 2004 at 10:47pm by AK108 »
	For my mods, check out my public notes. You might be interested in my projects, or my forum, the Flying Kirby Pub.
	WWW AIM IP Logged

BHRA Webmaster God Member Offline Mod Author of the Year 2002 Posts: 5238 Location: BHRA Headquarters Joined: Jan 18^th, 2002 Gender:	Re: Security Flaw in Morebcoptions Reply #1 - Jan 19^th, 2004 at 9:01pm	Print Post
	This is a known oversight, the solution to which is available in numerous threads on this board. (As a hint, start with the MBCO2 thread on the Final Mods board.)

	World Domination, one smiley at a time!
	IP Logged

AK108 God Member Offline Posts: 942 Joined: Oct 1^st, 2003 Gender:	Re: Security Flaw in Morebcoptions Reply #2 - Feb 3^rd, 2004 at 3:08am	Print Post
	(I fixed it some time ago, but thanks. I think it was due to a hack into it that I made.)

	For my mods, check out my public notes. You might be interested in my projects, or my forum, the Flying Kirby Pub.
	WWW AIM IP Logged

Page Index Toggle

Pages: 1

‹ Previous Topic | Next Topic ›

« Board Index ‹ Board Top

Top

BoardMod Mirror » Powered by YaBB 2.6.12!
YaBB Forum Software © 2000-2024. All Rights Reserved.

Valid XHTML

Valid CSS

Powered by Perl

Source Forge