The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
old Problem about baned moderators!!
I think there is an old but very Important problem in vBulletin all versions !
The problem is after I baned a moderator of my board I see that he did some moderator actions !!( he banned one of the users !! after he - himself was baned ) I do Not know how it is possible. But I guess he used cookie & cashes. above problem happened when I used v Bulletin3.6.8 ... because the new version 3.7.0 asks moderator to inter their passwords for most moderation action ... But I have seen the same problem in new version 3.7.0 !!! The problem is some of the users can see and read hidden forums!! I do not know how they can do exactly.... but I guess the problem refers to cookies and cashes !! They may use some inactive moderator Ids and changes the cookies ... or thieves the cookies of others... maybe it is the bug of the old versions of web browsers... as I mentioned I do not know what they do .. but it maybe the old weak of vBulletin security .... what can we do about thieve the cookie ? what can be done about the users who read hidden forum that they surely not have the permission ????? regards |
#2
|
|||
|
|||
go to user cp, set his primary usergroup as banned and uncheck all the groups he was a member of. Also make sure your banned group is actually a banned group in usergroup manger.
|
#3
|
|||
|
|||
Also make sure he is removed from the moderator list. (Though I presume that the staff at vBulletin are intelligent enough to check the user is banned before he can perform actions)
|
#4
|
||||
|
||||
Thank you .
I have checked them ... but all the permissions & user group have been set correct! I guess the only way they use maybe steeling cookies.. I am not sure yet , because I do not know about cookies in vBulletin.... |
#5
|
||||
|
||||
It is not a cookie issue. What usergroups is the user in? And what are the permissions for that usergroup? Is it marked as a "banned" usergroup? And in forum permissions, does that group have no permissions in all forums?
|
#6
|
||||
|
||||
He is just a registered user. and I set registered user can Not see hidden forums....
one more think ... I do not know how but he found a bug in hack : " Post thank you " ... and he could get thanks from any user he likes !! |
#7
|
||||
|
||||
Don't make him a Registered User if he is banned, make him a banned user.
And, check his access masks to see if you gave him permission through those to get to the hidden forums. And check the forum permissions and make sure that Registered Users (and banned users) have absolutely no permissions to get to that Hidden Forum. Depending on the forum permissions for the 'hidden' forum, it could be that you simply have it hidden from public but are allowing users to get to it directly through a link. So, all he needs is to know the forumid and he can get to it. |
#8
|
||||
|
||||
Quote:
Quote:
of course I'm not sure I got ride of him... he said he is able to be login as every one he likes .. |
#9
|
||||
|
||||
Then I would strongly suggest you go through all your Mods and see if he has added code to one. Perhaps look though your plugins and see if he added one just so he can get in. And, your pages also - see which ones are not default vb ones (Suspect File Versions).
|
#10
|
|||
|
|||
To my knowledge there are no known issues as you describe with default vBulletin. If you can reproduce such behaviour with default vB, then please post a bugreport.
This is either due to incorrect settings or a vulnerable modification. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|