|
Quote:
You can always check in moderator log who used this hack. |
Quote:
Now unless there is something wrong with how I have set this up then there definitely is a problem. The only users I have allowed to use this is two admin accounts, I dont understand how guests could use it. ________ Extreme Vaporizer Sale |
We have also found out that users were able to use the login to user account via a link on all members profiles as a guest.
________ BODY SCIENCE |
<a href="https://vborg.vbsupport.ru/showthread.php?t=168819" target="_blank">https://vborg.vbsupport.ru/showthread.php?t=168819</a>
this works great on vb 3.8.1 |
Quote:
https://vborg.vbsupport.ru/showpost....&postcount=247 I hope that this is something I have overlooked. ________ Ferrari Fx |
Quote:
Feel free to report product to forum Staff so they can check it and move it to "Mod Graveyard" if they find such bug. Noone reported such issue before. Check your settings and ensure that proper user IDs are added to the list of Admins. IDs should be separated with commas. |
I tested with a regular member and a guest, I don't have the problem.
|
There is no logs at all of the activity as it is a guest able to do this. All user ID's have been correct too. @ Nascartr, I have tested it myself on a friends board without the same problem. I am sure this wasnt possible on our board until lately. Could it be anything to do with not using the default memberinfo template?
________ FAMILY GUY DICUSSION |
I got a vbulletin error page when I tried to log in to an account on my site. I went back to the main page and it was gone, and I was logged in as myself but it was telling me I was logged in as someone else. I haven't even opened this site yet and have maybe 4 other hacks total installed. Any idea?
Great hack, by the way -- I had it on my last board and it was very useful with helping out a user on their account without having them change their password to something generic and then changing it back. |
Quote:
Quote:
Try to clear forum cookies, then re-log-in to your account, then try to log-in as user. |
DUDE...omg this is one of the most amazing and freaky plugin ever...<3 u
|
Youve said this is impossible, well how come it is doing this on our board as a guest even after installing the plugin again?
[removed the link ;)] is exactly what can be used on our forum for some reason with this modification enabled. That is without link on profiles etc and only allowed for myself to use it in the options for this. ________ Mercedes-Benz W125 History |
Got it at last! This modification is not to blame and I apologise Cyb, I have just figured it out! Another mod is allowing this security risk to be open in conflict which I am reporting.
________ Mflb vaporizer |
Actually I take that back, it is still doing the same thing.
I have tested the flaw in IE8 but it doesnt work and only seems to work in FF. I have disabled all the modifications using usergroups and still get this problem. Also, our guest count drops to zero guests as soon as I attempt the trick, it resets our guests somehow. ________ Vaporizer Information |
I didn't realize the logging was on by default and have now disabled it, but is there a way to get rid of the logs that are already in the database?
|
Quote:
With this link I am able to login into any account at my forum I want to! Even wihthout being even logged in before!!! How is this possible?!?!?! DANGEROUS!!!!!! |
Sweeks, edit that link out.
|
And of course Cybernetec doesn't accept PMs. Unless he takes a look at the above within a day I'm going to PM one of the mods and have them move this to the mod graveyard.
|
I just edited my Quote so that the URL disappears.
Well, I'm a bit shocked... I never thought, that an AddOn could do things like that! :eek::( |
I PMed an admin to remove the other URL too.
|
Did somebody already cross check versions 3.7, 3.6 and 3.5 if they have the same heavy bug?
btw: every admin using this AddOn should be informed "asap" by eMail as soon as Cybernetec or vb-Admin has confirmed this bug. |
Here I go again...
Seems like we have a worst-case-scenario... :( I just tried to "hijack" an admin account of a forum postet in the signatur of an user using the 3.7-Version. Unfortunatly, I was successfull... I now have full access of his forum! Don't worry - I will not do any harm! ADMINs! Please remove all versions of this AddOn & inform every admin to disable this AddOn as soon as possible! If vb-Admins would like to test hijacking forums - send PN an I'll give you some links to vunerable forums. There you can hijack any account you want. Unbelivable!!!! :mad::down: |
Confirm the Phobos49 called Bug!
|
Told you it wasnt impossible :D The only mod that does the same and seems secure right now is:
https://vborg.vbsupport.ru/showthread.php?t=168819 ________ FISTING MILF |
I think now the problem fixed :P
|
changelog?
|
Im currently using this hack for my forum. But how is it possible that somebody easily uses the url ? Does he need an account on the forum or which way does it work ?
|
a confirmation from cyb will be nice.
Sorry if i ask Cyb, is this mod safe now? can i install it? |
if this mod safe now, plz edit phobos post above!
|
Quote:
Version 2.3 should be safe now (did not test myself yet). But every admin MUST updated to 2.3 to secure his forum! So I am not going to edit my posting. |
Quote:
________ Ipad guide |
When I try to add this url-code to the member.php I just see a login screen. So, there is no problem is it ?
|
Quote:
|
Thanks for update.
|
v2.3 - Apr 11. 2009.
-Bug fix (non-Admins able to login to user accounts in some cases) -Bug fix (Admin can not search product entries in ModLog by product ID) -Bug fix (logging error if username contains special characters) -Bug fix (Admin must be member of usergroup 6 to use product) -Minor bugs fixed Upgrade Info: -Import product XML, allow overwrite -Revert product templates if any modified |
nice man!
|
The update is working fine now Thank you. The only problem is when manually placing the link in MEMBERINFO everyone can see it unless you wrap it in a conditional like the following.
Code:
<if condition="is_member_of($vbulletin->userinfo, array( 6))">________ Halfbaked |
Works perfect
Thanks! |
When I click on Set Admins, it loads misc.php in that frame, and no where can I set the admins that can use this.
It seems this link isnt working misc.php?do=cybltua_set |
It doesn't matter who I "log in to" I always get:
Quote:
|
| All times are GMT. The time now is 04:14 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|