We host http://www.gnutellaforums.com/ and upgraded them from v2.2.2 to v2.2.3 this morning. The only templates we've modified are the header and the footer.

Several people e-mailed me today saying that their posts were appearing under my account. I investigated and here's what I discovered:
If a user is logged in and posts through newthread.php or newreply.php, everything works fine.
If a user is NOT logged in and logs in while posting through newthread.php or newreply.php, their posts appears under the account of the user with userid=1. In our case, that meant they were posting under my admin account, and were logged in as me when they finished posting. I had to create a new admin account and disable the old one because those users had full access to vBulletin's admin features.repair.php didn't find any problems with the MySQL tables, and I didn't see any problems when I browsed through them using phpMyAdmin.

Any idea what's going on and how to fix it?

This doesn't seem to be occuring here (I just logged out, went to post a reply and then logged in when prompted) - has the code of newreply/newthread been modified on your board?

Originally posted by JamesUS
This doesn't seem to be occuring here (I just logged out, went to post a reply and then logged in when prompted) - has the code of newreply/newthread been modified on your board?
No, they haven't been modified.

I will send you a PM to tell you how to fix it. You need to manually change some code!

hmmm
i've noticed that no longer Guests can post in A Place to Test Things Out forum, i wonder why :rolleyes:
If this is true, then it's a major bug IMO :eek:

OMG, i've just test it and it is true, you are logged in as admin :eek:

I fixed the problem by replacing

if ($userinfo=$DB_site->query_first("SELECT user.*,userfield.* FROM user,userfield WHERE username='".addslashes(htmlspecialchars($username))."' OR username='".addslashes(eregi_replace("[^A-Za-z0-9]","",$username))."' AND user.userid=userfield.userid"))
with

if ($userinfo=$DB_site->query_first("SELECT user.*,userfield.* FROM user,userfield WHERE (username='".addslashes(htmlspecialchars($username))."' OR username='".addslashes(eregi_replace("[^A-Za-z0-9]","",$username))."') AND user.userid=userfield.userid"))
in newthread.php and newreply.php


I just downloaded vbulletin2.zip again and it still has this bug. This is a major security breach; why aren't you doing anything about it?

It gives users access to the account associated with userid=1 and for most forums, that's an admin account.

We are aware of the problem but John is not here at the moment so the files can not be modified. You can fix the file as you have or you can turn off guest posting.

ok done freddie.
is there any fix for this one?
will the code from CycloCide fix it?

That is what I posted, no?

yup, there was a thread in Bug Reports forum about this one, but i guess it's no longer there, so..... :rolleyes:

ok i don't know what you guys think about this, but i demand guarantees that no one has accessed admin area under John's account, this is a major issue :mad:
Members privacy is at stake here, this it too much important to leave it this way i think :rolleyes:
And what about members ID's and PW's stored in profiles? :eek:
TIA

same problem here... (2.2.3)
I have used the CycloCide fix.

waiting for the 2.2.3c :p

We have just released version 2.2.3c in the member's area, which fixes this problem. If you have installed 2.2.3 and allow guest to post on your boards, we strongly urge you upgrade to this version as soon as possible, or make the changes CycloCide has in his post.

The admin area on this board is protected by an .htaccess so you can not get in.

thank you freddie :)

I hate waking up in the morning to stuff like this

Originally posted by nuno
And what about members ID's and PW's stored in profiles? :eek:
They aren't, remember? We did away with that like 6 months ago?

well i guess i just had a big scare
:rolleyes:
please don't do this again :D
i just had to revert all templates to original, upgrade to 2.2.3c and now i must go and redo them all over again. :(

Why did you revert all your templates to original?

Also the newthread/newreply bug does not affect any templates.

heh Kev, i just went completely berserk, revert all to original and upgrade.
If there are any more bugs out there, i'll just wait for v3.0. :o