newbb origined bugs
Date 2006-05-10 13:09:04 | Category: XOOPS
|
I've just found many bugs around access controlling in *newbb*.
-- a moderator can moderate any forums -- anyone can post into any locked topics -- anyone can read any posts in the private forums
Though this is not "vulnerabilities", it might be a problem if you rely *newbb*'s access controlling system.
I've just fixed in xhnewbb. But there are many modules other than xhnewbb based on newbb.
If you are a developer of such a module, check it please.
This is the cause:
structure: forum - topic_id - post_id
wrong check: check by 'forum' from request
if someone request unlimited 'forum' and limited 'topic_id'/'post_id', he can do any actions allowed in the unlimited forum.
|
|