Have I overlooked something? Because I had to ban a moderator a few days ago. And yet, today, some users were banned - apparently by this person.

The server access logs indicate that his IP was the one responsible for the banning of some users on my site, even though he was placed into the 'banned' user group (I didn't yet delete his user account, though). There are other users (and mods too) who have also had this IP address, but it really couldn't be any of them.

The 'banned' user group has no rights to anything on the forums (can't even view threads). The user group permissions for that group are marked 'no' for everything.

I hope to hear from someone quite soon about this! Thanks.

I haven't as clue why this would happen. Maybe this Mod had previusly set up another account for himself. Nonetheless I don't think anyone will be able to resolve this based on the information you've given. You might want to file a support request so someone from vbulletin.com can access your Admin CP and investigate.

Originally posted by smachol
I haven't as clue why this would happen. Maybe this Mod had previusly set up another account for himself. Nonetheless I don't think anyone will be able to resolve this based on the information you've given. You might want to file a support request so someone from vbulletin.com can access your Admin CP and investigate.


How do you file a support request? I'll try to figure that out on my own, but if you could let me know soon (just in case I can't find out), please let me know how to do that! Thanks.

http://www.vbulletin.com/members/support.php

Okay, but one thing I don't understand is how he was able to ban a user in a forum that he did not moderate. Can moderators ban users in any forums, regardless of which forum(s) they're a moderator for? Or was this just part of the glitch that was now corrected?

The bug was that he was able to log into the mod CP.

A moderator can ban any user - because there is no definition of which forum a user 'belongs' to.

John

Originally posted by John
The bug was that he was able to log into the mod CP.

A moderator can ban any user - because there is no definition of which forum a user 'belongs' to.

John


Makes sense. Sorry for the confusion.

Can you post the fix here so us users who don't want to do the full upgrade to 2.2.1 can make this fix. This seems like a whopping security issue if someone had given the mods too much permission.

Originally posted by JTMON
Can you post the fix here so us users who don't want to do the full upgrade to 2.2.1 can make this fix. This seems like a whopping security issue if someone had given the mods too much permission.


Sure was a "whopping security issue." A few of the mods on my site caused a lot of pain and confusion for a while. :(

Anyway, at least the vBulletin people responded to my support ticket about this almost right away. But in the meantime, I did have to delete a former mod's user account.

Well I sure hope they post the fix here soon. So much for having a "Security Expert" :D j/k

This is not the sort of thing that our security expert checks for, as it is an unforseen occurance that we had not predicted.

To fix this, edit mod/global.php ~line 80:



require("./../admin/sessions.php");

$permissions=getpermissions();

if (!ismoderator() or !$permissions['canview']) {
cpheader("<title>Moderators control panel</title>");


John

Originally posted by John
This is not the sort of thing that our security expert checks for, as it is an unforseen occurance that we had not predicted.

To fix this, edit mod/global.php ~line 80:



require("./../admin/sessions.php");

$permissions=getpermissions();

if (!ismoderator() or !$permissions['canview']) {
cpheader("<title>Moderators control panel</title>");


John

Could we have the security expert start checking for these types of things? The code should be tight enough to prevent some occurences you can't predict similar to the way securtiy products can prevent new-undefined types of attacks.

Thanks for the fix John

How can you fix something that is not even predictable...?

The same way you can prevent viruses that haven't been created yet, and the same way security products can stop attacks that haven't been created yet.

With all due respect, not all security holes are predictable.
If they were, they wouldn't exist in the first place. :)

Originally posted by FireFly
With all due respect, not all security holes are predictable.
If they were, they wouldn't exist in the first place. :)

I totally agree, I just wish that the security expert DID look for these types of things also. Rather than us finding it as customers.