Hi all,

I have brought this up in another thread (http://vbulletin.com/forum/showthread.php?s=&postid=233687), but it looks like vBulletin has a really weird bug going on. Several of my moderators continue to get access to private forums that Moderator group members are locked out of. I keep changing their individual forum permissions to not access these private forums, but they spontaneously keep getting access to all private forums.

Moderators are locked out of all of these forums, and all my moderators are now in the Moderator group (something that should be done by default--that's silly!). However, random moderators have access to all the private forums, and even after setting things straight, they spotaneously get access to all private forums when I add a new private forum.

What the heck is going on? We seriously need to get to the bottom of this. This is a major security problem and should be treated seriously.

I don't mean to be rude, but shouldn't an issue like this get an immediate official response?

Can you please send your admin logon details to support@vbulletin.com and we will look into this for you :)

Sent.

Thanks. I can't promise this will be looked into properly until tomorrow now - as it's quite late on a Sunday. If you don't receive anything today it will definitely be looked at first thing in the morning tomorrow though.

do you have any hacks installed that affect access masks in any way?

I've sat for about an hour now trying to re-create this problem on a unhacked board.

Which files might affect access masks (so I can trace back my MANY installed hacks to the individual files)? All of my hacks have been well commented.

did you install one of my hacks called "Allow mods to edit access masks?"

thats one that would definately cause this problem if the mods are misusing it, either that or you could have a corrupt admin :)

The hacks could be in many files so I'd try and find as many of them as posibble.

If you got them from vBulletin.org and clicked the Installed Hack button then it would list all the hacks you installed in your profile.

Silly me--I never informed vB.org that I installed more than a few of the hacks. No, I didn't ever install the mod access hack, though.

I'm becoming less sure that this is a hack, because only certain mods exhibit this behavior--about 1/3 of them do. Is there any way to see if an individual user has corrupt access masks?

Revert your templates, upload original unhacked php files and see if anything happens that way

I dont have any problems with any of my mods and even forums bigger than mines with 30+ mods aren't seeing this problem.

If you have to you can install another instance of vbulletin on your server to test things out (no public access). And you can narrow it down to a problem

1. double check your access masks for each user group
2. double check your access masks on each forum. You could have inadvertently turned one on to custom settings.

Here are the PHP files I have edited:

index.php, member.php, register.php, showthread.php, admin/forum.php, admin/email.php.

Over 60% of my templates have been modified, but I can't imagine how these problems would have anything to do with templates--all of the template sets have the same access masks, so it wouldn't matter. I guess I could try reverting to the old PHP files, but I'd kinda prefer not to unless it's a last ditch effort. I have a number of hacks that I don't want to reinstall right now.

Originally posted by jminiman
I guess I could try reverting to the old PHP files, but I'd kinda prefer not to unless it's a last ditch effort. I have a number of hacks that I don't want to reinstall right now. However you have to understand that we can't really provide support on hacked installations. There are just too many unkown variables once a person has hacked their board.

I will look at it when I get home today, but it is beginning to sound like it might be a hack problem. If someone can reproduce it on an unhacked board it would be useful though.

Originally posted by jminiman
Here are the PHP files I have edited:

index.php, member.php, register.php, showthread.php, admin/forum.php, admin/email.php.

Over 60% of my templates have been modified, but I can't imagine how these problems would have anything to do with templates--all of the template sets have the same access masks, so it wouldn't matter. I guess I could try reverting to the old PHP files, but I'd kinda prefer not to unless it's a last ditch effort. I have a number of hacks that I don't want to reinstall right now.

again, you can install another instance of vbulletin for testing purposes that way you can narrow down the problem.

Though it does definitely sound like one of your hacks messed up.

You edited many of the "main" php files and it could be anything in them.

Originally posted by JamesUS
I will look at it when I get home today, but it is beginning to sound like it might be a hack problem. If someone can reproduce it on an unhacked board it would be useful though.


I think it was the problem with personal access masks, when you find a user to change their profile, there was a thread about this before, and I also posted saying I have the same problem, but no one ever answered....

Okay--I used a VERY smart program called Beyond Compare, which allows me to step through the exact differences between files. Using this, I was able to figure out all of the hacks I have installed:

1. Send HTML e-mail to board members
2. Expand/collapse forums
3. Blink PM bar on forum home
4. vbStats
5. Show avatar on forum home
6. Show number of threads since last login on forum home

These things in member.php (it could be a change between v2.2.0 and v2.2.1):

See attached text file in next post.

That's all. I did notice that Contract posts changes almost all PHP files. Prohacker: do you have this hack installed?

Your continue help is much appreciated. None of these hacks seem to have any impact whatsoever on moderator privileges.

Changes in members.php.

I tried it on a forum with no hacks, and a forum with hacks, and produced the same effect.... Oh well, guess my mods got to see a few secrets :D

I don't like this--I have several forums that have confidential information posted; perhaps I need to be looking for a more secure forums system?

What changes have you made to admin/forum.php ?

John

Changes to admin/forum.php

1. (start line 126)
// expand collapse hack
maketableheader("Display Setting");
makeyesnocode("Collapse Children","collapsed",0);
// end expand collapse hack


2. Changed line 140 to: styleoverride,allowratings,countposts,moderateatta ch,collapsed)

3. Changed line 145 to:
'$styleoverride','$allowratings','$countposts','$m oderateattach','$collapsed')");

4. Added starting line 230:
// expand collapse hack
maketableheader("Display Setting");
makeyesnocode("Collapse Children","collapsed",$forum[collapsed]);
// end expand collapse hack

5. Changed line 168 to:
moderateattach='$moderateattach', collapsed='$collapsed'

Every one of these changes is a result of the collapse hack.

In functions.php, I have this starting at line 293:

if ($post[usergroupid]==6 OR $post[usergroupid]==5) {
$post[message]=bbcodeparse2($post[pagetext],1,1,1,1);
} else {
$post[message]=bbcodeparse($post[pagetext],$forum[forumid],$post[allowsmilie]);
}

Well, all,

It wasn't the most elegant solution, but by brute force, I delete all entries from the "access" table. Every last entry was bull crud and should never have been there. Killing all of those entries brought each mod's private forum access back to default (which for most private forums is no access). I checked several users, and much as I expected, their permissions were all set back to default for the private forums. The BIG QUESTION:

Will it stay like this or will I have to periodically clear out the access table?

Prohacker tested this out on a clean forum, and reported the problem is still in effect.

I would imagine it'll get moved to bugs as soon as a mod runs the same test, and we'll see a fix shortly. Or will they conveniently blame it on the hacks? :D

FWIW, this does not happen on either of my essentially non-hacked boards. :confused:

I'm going to do another fresh install on a server tonight, just had it rebuilt after an intrusion, so it'll be a good test.......

Originally posted by Fusion
Or will they conveniently blame it on the hacks? :DThat was uncalled for...

Originally posted by tubedogg
That was uncalled for... Oh, come now, you saw the smilie.. :p

Prohacker - can you let us know the exact steps you took to reproduce this problem?

Thanks,
John

Of course...

I'm installing another test forum now....... I'll make an exactly list after I'm done if I come up with the same error....

Very strange....

I installed a fresh copy of vB and added a few users, and had the same problem...


But I checked my email and a few people had problems with accessing certain things in PHP and MySQL, so I recompile both, and the problem is gone....



Not sure if the "hacker" that got in, screw up the programs, but totally possible......

To the people that have the problems:

What host do you use??


There are several resellers on this box...

what compile settings did you use for php, and how (if at all) does your php.ini differ from the default?
i'll see if i can reproduce it tomorrow

./configure --with-apxs=/usr/local/apache/bin/apxs --with-xml --with-swf=/usr/local/flash --with-gd=../gd-1.8.4 --with-jpeg-dir=/usr/local --with-imap=../imap-2001.BETA.SNAP-0107112053 --with-ming=../ming-0.1.1 --enable-magic-quotes --with-mysql --enable-safe-mode --enable-track-vars --with-ttf --enable-versioning --with-zlib --with-curl --with-Kerberos=/usr/kerberos --enable-ftp --with-png




Standard PHP.ini, Cpanel 4 server, I know, the cpanel being installed can explain alot...

May I ask... whatever happened with this security problem?

Does it affect 2.2.5 ?

Was a fix made for it? If so, where is it available?

I haven't opened my board for members to start using, yet... so I don't know if I would have this problem... but I'm trying to cover all my bases ahead of time. Thanks!

mishkan :)

I had a problem about mods getting set access, but I've upgraded several times and no longer have the problem.. It could have just been a mysql fluke, I don't know.. But with 2.2.5 and 2.2.6 its just fine...

I can honestly say that this is not a "hack" problem. I had the same problem, and still do, and would really appreciate finding out how others corrected this. Here is the EXACT problem:

When you create a private forum, it automatically sets anyone in the moderators group's ACCESS MASKS to "YES" for that forum, and you have to MANUALLY set them back to default in order for the permissions to work correctly. This was happening on my forum before any hacks were installed, and still is, from versions 2.2.1 all the way to 2.2.5.

Did anyone figure out how to correct this yet?

Talon

Originally posted by Talon3DHQ
When you create a private forum, it automatically sets anyone in the moderators group's ACCESS MASKS to "YES" for that forum, and you have to MANUALLY set them back to default in order for the permissions to work correctly. This has been the default behavior ever since I can remember.

Originally posted by smachol
This has been the default behavior ever since I can remember. if that is the case, then no offense to Jelsoft, but it is just silly. Why should I have to go to the EACH AND EVERY moderator and MANUALLY set their forums acces to "DEFAULT" when I have already set the permissions to the forum in question to NOT allow ANY moderators in? The permissions should take care of that, but instead I have to set permission AND set access masks manually for just this one group. Why doesn't it do this for just Moderators, and not Super Moderators, or even Admins? Sorry, it really just doesn't make any sense to me.


Talon

I don't disagree. I do believe this is fixed in vB 3.0.

Originally posted by smachol
I don't disagree. I do believe this is fixed in vB 3.0. ]

Ok, that is good to hear, but I suppose asking for it to be corrected in version 2.2.5 or .6 is too much? I guess I will have to try the "access table" thing mentioned ealier in this thread

Just remove / comment out this part in admin/forum.php:
$mods=$DB_site->query("SELECT DISTINCT moderator.userid FROM moderator,user WHERE moderator.userid=user.userid AND user.usergroupid<>6 AND user.usergroupid<>5");
if ($DB_site->num_rows($mods)) {
while ($mod=$DB_site->fetch_array($mods)) {
$accessto[] = $mod['userid'];
}
while ( list($key,$userid)=each($accessto) ) {
$DB_site->query("INSERT INTO access (userid,forumid,accessmask) VALUES ('$userid','$forumid',1)");
}
}Mystics

Ok, thats great. Thanks alot. I will try this tonight when I get home from work.

Thanks!

Talon

I'm pretty sure this has not been changed in vB3.

There's a simple way to avoid this - don't set the forum to private, and change permissions for your other groups to not be able to view/post/etc. in it.

Originally posted by tubedogg
There's a simple way to avoid this - don't set the forum to private, and change permissions for your other groups to not be able to view/post/etc. in it. Uhh, Kevin.. Doesn't that void the whole point of having a private-forum option? Seems to me that it would be better to actually correct the feature, make it more logical, rather than going around it like you suggested.

The feature seems pretty logical to me. It says it will hide forums from everyone except mods & admins. If you don't want the forum to be set that way, don't set the option.

It's like saying you want to change the way the Submit Reply button works because it doesn't preview the message first. If you want to preview the message, use the preview button, not the submit button.

Originally posted by tubedogg
.The feature seems pretty logical to me. It says it will hide forums from everyone except mods & admins. If you don't want the forum to be set that way, don't set the option.

Here's an analogy for that. PATIENT="Doc, it hurts when I do this". Doctor="Then Don't do that". Did that solve the problem? Well, no, not really, because the problem wasn't fixed, it was just avoided. See what I mean?


Originally posted by tubedogg
It's like saying you want to change the way the Submit Reply button works because it doesn't preview the message first. If you want to preview the message, use the preview button, not the submit button.

no offense tubbdogg, But you are comparing apples and oranges.

My point again is this. It does this ONLY for the moderators, not the admins, and not the Super moderators. Instead of someone only having to change ONE permission to restrict acces, they have to manually change every single moderator. If I want to restict access for all supermoderators, or even admins, all I have to do is change one permission, and BOOM, it's done. I have 20 modertors myself, so that is a pain to do manually, but I can't imagine how much a pain it is for sites with more than that.

I am not trying to argue with the Jelsoft team on this. If you all feel this is not an issue, that is fine, but I think that it should be something that perhaps is in the "Instructions" as an option to turn off or on, much like that "aol/icq" feature which requires a simple modification to turn on.

Talon

The reason it only does this for moderators is simple: moderators are not required to be in one specific usergroup. Administrators and Super Moderators *are*. Since moderators do not have to be in one specific usergroup, individual permissions are assigned to them to mimic the effect that would occur if all moderators were in one usergroup.

ok, that explains it alittle better anyway. Thank you for that. I did use mystics work around, and it did the trick, so I guess I will just have to remember that for the next upgrade. Thanks for your time and help on this guys.

Talon

Originally posted by tubedogg
The feature seems pretty logical to me. It says it will hide forums from everyone except mods & admins. If you don't want the forum to be set that way, don't set the option. Admins and Super Mods, yes, I agree. I do not buy that this is how it was intended for regular mods tho. Generally they are assigned to specific forums, elsewhere they are meant to have regular user rights. See where it becomes illogical?

Originally posted by Fusion
Admins and Super Mods, yes, I agree. I do not buy that this is how it was intended for regular mods tho. Generally they are assigned to specific forums, elsewhere they are meant to have regular user rights. See where it becomes illogical?

I see, yes. But, I think this point is moot now as it is very clear that they do not view this as a "flaw", but as "working as intended".

Talon