Quote:
Originally Posted by Erwin
This hack has a potential huge security hole - there is no internal usergroup permission check, so unregistered members can use newpm.php to send PMs.  I would add some sort of check in the newpm.php file itself, plus use templates to prevent unregistered users from accessing the link.
|
Did you even test it?
I've just logged out of my board and try to access /newpm.php?do=newwpm&userid=... and I get the page said needed to login, although I haven't changed anything from the one I posted here.