vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3 Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=187)
-   -   Think Security (https://vborg.vbsupport.ru/showthread.php?t=51114)

filburt1 04-01-2003 10:00 PM
Think Security
 
I can't believe how many people are credibly suggesting this.

Example: Let's say you don't want to allow unregistered members to view the smilies page. Your solution could be to use a conditional templates hack and just remove all references to that page for guests. However, anybody who knows the URL to the page can just load it himself.

That may sound trivial, but here's another example. Let's say you have a moderator area that allows mods to quickly prune posts in a given forum. You use the above method and the same problem: anybody could figure out the URL and do whatever they want.

So, in summary, always, no exceptions ever do permission checking both when displaying certain parts of a UI and when actually executing the user's request.

JulianD 04-02-2003 08:04 PM
thanks for the tip filburt. It's always good to think about security. :)


All times are GMT. The time now is 07:02 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01206 seconds
  • Memory Usage 1,699KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (2)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete