Major Duplicable Security Hole: Is This a Bug?

[jminiman]

Hi all,

I have brought this up in another thread (http://vbulletin.com/forum/showthrea...&postid=233687), but it looks like vBulletin has a really weird bug going on. Several of my moderators continue to get access to private forums that Moderator group members are locked out of. I keep changing their individual forum permissions to not access these private forums, but they spontaneously keep getting access to all private forums.

Moderators are locked out of all of these forums, and all my moderators are now in the Moderator group (something that should be done by default--that's silly!). However, random moderators have access to all the private forums, and even after setting things straight, they spotaneously get access to all private forums when I add a new private forum.

What the heck is going on? We seriously need to get to the bottom of this. This is a major security problem and should be treated seriously.

[jminiman]

I don't mean to be rude, but shouldn't an issue like this get an immediate official response?

[JamesUS]

Can you please send your admin logon details to support@vbulletin.com and we will look into this for you

[jminiman]

Sent.

[JamesUS]

Thanks. I can't promise this will be looked into properly until tomorrow now - as it's quite late on a Sunday. If you don't receive anything today it will definitely be looked at first thing in the morning tomorrow though.

[Scott MacVicar]

do you have any hacks installed that affect access masks in any way?

I've sat for about an hour now trying to re-create this problem on a unhacked board.

[jminiman]

Which files might affect access masks (so I can trace back my MANY installed hacks to the individual files)? All of my hacks have been well commented.

[Scott MacVicar]

did you install one of my hacks called "Allow mods to edit access masks?"

thats one that would definately cause this problem if the mods are misusing it, either that or you could have a corrupt admin

The hacks could be in many files so I'd try and find as many of them as posibble.

If you got them from vBulletin.org and clicked the Installed Hack button then it would list all the hacks you installed in your profile.

[jminiman]

Silly me--I never informed vB.org that I installed more than a few of the hacks. No, I didn't ever install the mod access hack, though.

[jminiman]

I'm becoming less sure that this is a hack, because only certain mods exhibit this behavior--about 1/3 of them do. Is there any way to see if an individual user has corrupt access masks?

[WizyWyg]

Revert your templates, upload original unhacked php files and see if anything happens that way

I dont have any problems with any of my mods and even forums bigger than mines with 30+ mods aren't seeing this problem.

If you have to you can install another instance of vbulletin on your server to test things out (no public access). And you can narrow it down to a problem

1. double check your access masks for each user group
2. double check your access masks on each forum. You could have inadvertently turned one on to custom settings.

[jminiman]

Here are the PHP files I have edited:

index.php, member.php, register.php, showthread.php, admin/forum.php, admin/email.php.

Over 60% of my templates have been modified, but I can't imagine how these problems would have anything to do with templates--all of the template sets have the same access masks, so it wouldn't matter. I guess I could try reverting to the old PHP files, but I'd kinda prefer not to unless it's a last ditch effort. I have a number of hacks that I don't want to reinstall right now.

[Steve Machol]

Originally posted by jminiman
I guess I could try reverting to the old PHP files, but I'd kinda prefer not to unless it's a last ditch effort. I have a number of hacks that I don't want to reinstall right now.

However you have to understand that we can't really provide support on hacked installations. There are just too many unkown variables once a person has hacked their board.

[JamesUS]

I will look at it when I get home today, but it is beginning to sound like it might be a hack problem. If someone can reproduce it on an unhacked board it would be useful though.

[WizyWyg]

Originally posted by jminiman
Here are the PHP files I have edited:

index.php, member.php, register.php, showthread.php, admin/forum.php, admin/email.php.

Over 60% of my templates have been modified, but I can't imagine how these problems would have anything to do with templates--all of the template sets have the same access masks, so it wouldn't matter. I guess I could try reverting to the old PHP files, but I'd kinda prefer not to unless it's a last ditch effort. I have a number of hacks that I don't want to reinstall right now.

again, you can install another instance of vbulletin for testing purposes that way you can narrow down the problem.

Though it does definitely sound like one of your hacks messed up.

You edited many of the "main" php files and it could be anything in them.