|
|
BigJoe
Joined: 07 Dec 2002
Posts: 1602
Location: A Remote/Well Fortified Complex |
 Fri Jan 13, 2006 1:42 pm
|
 |
|
I second that!!! |
| |
|
|
soulcore
Joined: 25 Dec 2004
Posts: 285
Location: Dallas |
|
Fri Jan 13, 2006 7:52 pm
|
|
|
I have a moderator related question actually, how is it that guests are able to view private messages?
Among the numerous security concerns already evident here, that really does seem a bit fishy to me.
Just check out the "who's online" section, there is almost always at least one guest viewing private messages.
_________________
In the beginning of a change the patriot is a scarce man, and brave, and hated and scorned. When his cause succeeds, the timid join him, for then it costs nothing to be a patriot."
-Mark Twain |
| |
|
|
increase 1776
Joined: 07 Oct 2000
Posts: 3097
Location: Bizzaro World |
|
Fri Jan 13, 2006 8:46 pm
|
|
|
Thermit says it's nothing to worry about.  
_________________
"The police are not here to create disorder.
The police are here to preserve disorder." Mayor Richard Daley |
| |
|
|
soulcore
Joined: 25 Dec 2004
Posts: 285
Location: Dallas |
|
Sat Jan 14, 2006 1:21 am
|
|
|
Oh, well in that case i feel much better now.
_________________
In the beginning of a change the patriot is a scarce man, and brave, and hated and scorned. When his cause succeeds, the timid join him, for then it costs nothing to be a patriot."
-Mark Twain |
| |
|
|
increase 1776
Joined: 07 Oct 2000
Posts: 3097
Location: Bizzaro World |
|
Sat Jan 14, 2006 3:27 am
|
|
|
quote:
According to viewonline a user is doing/reading something they should not be able to!
No, they probably are not. phpBB uses sessions to keep track of users as they move between pages. The session information tells us who this user is. Therefore in order to determine what a user can do on a page we first need the session details. Once this data is available we can check whether the user is permitted to do whatever it is they are trying to do. This can result in it appearing as if a user is reading a topic in a forum they should not be able to access. Or perhaps viewing private messages when they are only guests, etc. In practice the user is not doing these things, they are viewing a "You are not permitted to do this" type message. The session data has simply been updated before we were able to determine what the user could or could not do.
Of course this only applies where permissions have been set correctly!
http://www.phpbb.com/support/documents.php?mode=faq
Okay, I thought there was a tweak available to correct this unfortunate behavior of the software, but I guess not since I can't find it.
But, since there isn't a security hole, just an alarming appearance of one (doesn't that make you feel warm and fuzzy? Rolling Eyes ), I thought it might be educational for us to utilize this flaw, as a warning sign. In other words, doofus57 won't be able to read the moderator forum without the proper permissions, but if they try to do some URL bar hacking, they will show up and we will know that they are getting a bit too curious.
This is how it works.
_________________
"The police are not here to create disorder.
The police are here to preserve disorder." Mayor Richard Daley |
| |
|
|
 
|
|
 Goto page Previous
1, 2
All times are GMT. The time now is Sat May 26, 2012 3:33 pm
|
|
|
|
|
Login
