Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
  #1  
Old 03-10-2008, 03:06 PM
Golzarion's Avatar
Golzarion Golzarion is offline
 
Join Date: Jan 2008
Posts: 214
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default old Problem about baned moderators!!

I think there is an old but very Important problem in vBulletin all versions !

The problem is after I baned a moderator of my board I see that he did some moderator actions !!( he banned one of the users !! after he - himself was baned )

I do Not know how it is possible. But I guess he used cookie & cashes.

above problem happened when I used v Bulletin3.6.8 ...
because the new version 3.7.0 asks moderator to inter their passwords for most moderation action ...

But I have seen the same problem in new version 3.7.0 !!!

The problem is some of the users can see and read hidden forums!!

I do not know how they can do exactly....

but I guess the problem refers to cookies and cashes !!

They may use some inactive moderator Ids and changes the cookies ... or thieves the cookies of others...

maybe it is the bug of the old versions of web browsers...

as I mentioned I do not know what they do .. but it maybe the old weak of vBulletin security ....

what can we do about thieve the cookie ?

what can be done about the users who read hidden forum that they surely not have the permission ?????

regards
Reply With Quote
  #2  
Old 03-10-2008, 03:10 PM
punchbowl punchbowl is offline
 
Join Date: Nov 2006
Posts: 505
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

go to user cp, set his primary usergroup as banned and uncheck all the groups he was a member of. Also make sure your banned group is actually a banned group in usergroup manger.
Reply With Quote
  #3  
Old 03-10-2008, 04:41 PM
Opserty Opserty is offline
 
Join Date: Apr 2007
Posts: 4,103
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Also make sure he is removed from the moderator list. (Though I presume that the staff at vBulletin are intelligent enough to check the user is banned before he can perform actions)
Reply With Quote
  #4  
Old 03-10-2008, 05:01 PM
Golzarion's Avatar
Golzarion Golzarion is offline
 
Join Date: Jan 2008
Posts: 214
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you .

I have checked them ... but all the permissions & user group have been set correct!

I guess the only way they use maybe steeling cookies..

I am not sure yet , because I do not know about cookies in vBulletin....
Reply With Quote
  #5  
Old 03-10-2008, 05:13 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It is not a cookie issue. What usergroups is the user in? And what are the permissions for that usergroup? Is it marked as a "banned" usergroup? And in forum permissions, does that group have no permissions in all forums?
Reply With Quote
  #6  
Old 03-10-2008, 05:35 PM
Golzarion's Avatar
Golzarion Golzarion is offline
 
Join Date: Jan 2008
Posts: 214
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

He is just a registered user. and I set registered user can Not see hidden forums....

one more think ... I do not know how but he found a bug in hack : " Post thank you " ... and he could get thanks from any user he likes !!
Reply With Quote
  #7  
Old 03-10-2008, 05:38 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Don't make him a Registered User if he is banned, make him a banned user.

And, check his access masks to see if you gave him permission through those to get to the hidden forums. And check the forum permissions and make sure that Registered Users (and banned users) have absolutely no permissions to get to that Hidden Forum. Depending on the forum permissions for the 'hidden' forum, it could be that you simply have it hidden from public but are allowing users to get to it directly through a link. So, all he needs is to know the forumid and he can get to it.
Reply With Quote
  #8  
Old 03-10-2008, 05:57 PM
Golzarion's Avatar
Golzarion Golzarion is offline
 
Join Date: Jan 2008
Posts: 214
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Lynne View Post
Don't make him a Registered User if he is banned, make him a banned user.
Thank you again.... I delete the user... before he was the moderator of php discussion forum . and he is a specialist in computer programming... I hope I don't have any troble about that user ...
Quote:
for the 'hidden' forum, it could be that you simply have it hidden from public but are allowing users to get to it directly through a link. So, all he needs is to know the forumid and he can get to it
I'll check it . thank you again

of course I'm not sure I got ride of him... he said he is able to be login as every one he likes ..
Reply With Quote
  #9  
Old 03-10-2008, 07:55 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Golzarion View Post
of course I'm not sure I got ride of him... he said he is able to be login as every one he likes ..
Then I would strongly suggest you go through all your Mods and see if he has added code to one. Perhaps look though your plugins and see if he added one just so he can get in. And, your pages also - see which ones are not default vb ones (Suspect File Versions).
Reply With Quote
  #10  
Old 03-11-2008, 10:33 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

To my knowledge there are no known issues as you describe with default vBulletin. If you can reproduce such behaviour with default vB, then please post a bugreport.

This is either due to incorrect settings or a vulnerable modification.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:44 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05010 seconds
  • Memory Usage 2,249KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete