vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Security Issue (https://vborg.vbsupport.ru/showthread.php?t=118283)

Rickie3 06-11-2006 04:32 AM
Security Issue
 
1 Attachment(s)
I'm hoping someone here can give me some advice,ok here goes
I created some private forums on my board that certain usergroups can view only
the usergorups that have access are
V.I.P colour Purple
Moderators colour Blue
Super Moderators Green
Admins Red.

Now my normal registered users are not allowed access to these forums at all unless i give them access

Normal registered usergroup colour is black.

Ok what happened some of the content from the private sections were taken screenshots of and given out to the public,which has made me very upset and very hard to pin point who and what member was responsiable.I have the hack installed that shows what member has viewed the thread.To my surprise a normal registered user was able to view that private thread,i have checked all my logs and that users permissions,and cant see how this member could view that thread,do i have a security issue on my board how could someone access pages without having the right permissions??? i'm at a loss
see my screenshot below the normal registered user who's name is in black and i have circled red should not have been able to access that forum at all,please can someone help.

Boofo 06-11-2006 04:41 AM
Quote:
Originally Posted by Rickie3
I'm hoping someone here can give me some advice,ok here goes
I created some private forums on my board that certain usergroups can view only
the usergorups that have access are
V.I.P colour Purple
Moderators colour Blue
Super Moderators Green
Admins Red.

Now my normal registered users are not allowed access to these forums at all unless i give them access

Normal registered usergroup colour is black.

Ok what happened some of the content from the private sections were taken screenshots of and given out to the public,which has made me very upset and very hard to pin point who and what member was responsiable.I have the hack installed that shows what member has viewed the thread.To my surprise a normal registered user was able to view that private thread,i have checked all my logs and that users permissions,and cant see how this member could view that thread,do i have a security issue on my board how could someone access pages without having the right permissions??? i'm at a loss
see my screenshot below the normal registered user who's name is in black and i have circled red should not have been able to access that forum at all,please can someone help.
That's really not that hard to do. I'm not sure how the read a thread hack works, but all a user has to do it directly link the thread and it would show them as viewing it even though they can't see it (if the hack works like I think it does).

What is sounds like to me, and bear with me on this, is that you have a Staff member somewhere that has figured this out and has either used the account to do this or is working in cahoots with the said user. Is this a possibility?

Rickie3 06-11-2006 05:10 AM
Hi Bob thanx for replying,i have checked all the admin logs and moderator logs and found nothing out of the ordinary,I also created a dummy registered user and used the thread direct link and it did not show the dummy as viewing that thread,this is why i'm at a loss

Boofo 06-11-2006 05:28 AM
Quote:
Originally Posted by Rickie3
Hi Bob thanx for replying,i have checked all the admin logs and moderator logs and found nothing out of the ordinary,I also created a dummy registered user and used the thread direct link and it did not show the dummy as viewing that thread,this is why i'm at a loss
Well, then I would think you have a rogue staff member that might have granted the user in question access at one time, long enough to view that thread and then set it back to throw you off. As bad as that sounds, I have seen it done in the past. No other way it can be going down in my book.

And logs are easy to manipulate.

MrZeropage 06-11-2006 05:32 AM
If you are using the latest version of Paul M's Hack "who viewed this thread", it should tell you the exact date+time when the user viewed it while hovering the mouse over the username. Maybe this helps to track down the issue a little, just look who was online in that time ect...

Rickie3 06-11-2006 05:54 AM
@MrZeropage i am running the latest hack and it does give the date and time,,but it still really doesnt norrow who could have been resposiable,I cant going accusing someone when i just dont know who it could be,and in the same time i dont want to punish all the members who have access to the said forums,i guess i'm in a no win situation,so to save face i have locked down those forums so only my admins and mods have access


All times are GMT. The time now is 06:34 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01266 seconds
  • Memory Usage 1,725KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete