BoardMod Mirror - Secirity flaw in Report to Moderator Mod

(UTC)

Choose Language:

BoardMod Mirror › Mod Support › Mod Bugs › Secirity flaw in Report to Moderator Mod

‹ Previous Topic | Next Topic ›

Page Index Toggle

Pages: 1

Normal Topic

Secirity flaw in Report to Moderator Mod (Read 2140 times)

goldengate2 Guest	Secirity flaw in Report to Moderator Mod Feb 1^st, 2004 at 4:53am	Print Post
	I noticed in the Report to Moderator mod that an email addy is revealed in the sending URL of the person who's being reported. All someone has to do is "copy link" then paste into notepad and they can get all the email addy's of everyone who's posted (hidden or not).


	IP Logged

astropilot God Member Offline Posts: 828 Location: Louisville Joined: Jun 18^th, 2003 Gender:	Re: Secirity flaw in Report to Moderator Mod Reply #1 - Jun 17^th, 2004 at 2:39am	Print Post
	Here is the fix - Two files to edit ReportToMod.pl and Display.pl (already modded) Note: You should probably edit your mod file also to reflect the changes to Display.pl so it will unistall easily. ReportToMod.pl ---------------------------------------- <Search for> Code <input type="hidden" name="thread" value="$INFO{'thread'}"> <input type="hidden" name="board" value="$INFO{'board'}"> <input type="hidden" name="id" value="$INFO{'id'}"> <input type="hidden" name="subject" value="$INFO{'subject'}"> <input type="hidden" name="poster" value="$INFO{'poster'}"> <input type="hidden" name="email" value="$INFO{'email'}"> <input type="hidden" name="username" value="$INFO{'username'}"> <input type=submit value="$rtm{'5'}" onClick="return confirmDel()"> <Replace with> Code <input type="hidden" name="thread" value="$INFO{'thread'}"> <input type="hidden" name="board" value="$INFO{'board'}"> <input type="hidden" name="id" value="$INFO{'id'}"> <input type="hidden" name="subject" value="$INFO{'subject'}"> <input type="hidden" name="poster" value="$INFO{'poster'}"> <input type="hidden" name="username" value="$INFO{'username'}"> <input type=submit value="$rtm{'5'}" onClick="return confirmDel()"> <Search for> Code # construct email message &LoadUser($username); <Add After> Code &LoadUser($FORM{'poster'}); $useremail = $userprofile{$FORM{'poster'}}->[2]; <Search for> Code $mailtext = "$rtm{'8'} $userprofile{$username}->[1] ($settings[2]):\n\n$rtm{'9'}: $FORM{'subject'}\n$rtm{'10'} $FORM{'id'} $rtm{'11'}.\n$rtm{'12'}: $FORM{'poster'} scripturl?action=viewprofile;username=$username"; <Replace with> Code $mailtext = "$rtm{'8'} $userprofile{$username}->[1] ($settings[2]):\n\n$rtm{'9'}: $FORM{'subject'}\n$rtm{'10'} $FORM{'id'} $rtm{'11'}.\n$rtm{'12'}: $FORM{'poster'} pturl?action=viewprofile;username=$username"; Display.pl --------------------------------- <Search for> Code <a me&username=$musername&email=$memail"><img src="$imagesdir/rtm.gif" alt="$rtm{'22'}" border="0"> <font size="1" class="imgwindowbg">$rtm{'22'}</font></a> <Replace with> Code <a me&username=$musername"><img src="$imagesdir/rtm.gif" alt="$rtm{'22'}" border="0"> <font size="1" class="imgwindowbg">$rtm{'22'}</font></a> That's it. With this, the email will not be seen by any user, but it will be looked up by the script and be sent to the moderators in their email as usual. Hope this helps. astro-pilot

	"For I am not ashamed of the gospel of Christ..." Romans 1:16 --- http://www.ssflynn.com www.flynnfarmsofkentucky.com
	IP Logged

Seawolf Senior Member Offline YaBB - it's not just a board, it's an OBSESSION! Posts: 351 Location: Valparaiso Joined: May 19^th, 2002 Gender:	Re: Secirity flaw in Report to Moderator Mod Reply #2 - Sep 27^th, 2004 at 8:31pm	Print Post
	Made a mod file for those that don't want to go through all that manually - attached to this message - all credit to astro-pilot. Attached to this message.

	RTMEmailSecFix1SP132.mod ( 3 KB \| Downloads )
	ICQ YIM IP Logged

astropilot God Member Offline Posts: 828 Location: Louisville Joined: Jun 18^th, 2003 Gender:	Re: Secirity flaw in Report to Moderator Mod Reply #3 - Sep 30^th, 2004 at 3:29am	Print Post
	Thsnks

	"For I am not ashamed of the gospel of Christ..." Romans 1:16 --- http://www.ssflynn.com www.flynnfarmsofkentucky.com
	IP Logged

Page Index Toggle

Pages: 1

‹ Previous Topic | Next Topic ›

« Board Index ‹ Board Top

Top

BoardMod Mirror » Powered by YaBB 2.6.12!
YaBB Forum Software © 2000-2024. All Rights Reserved.

Valid XHTML

Valid CSS

Powered by Perl

Source Forge