Tweet
It just came to my attention that there is a security flaw (possibily, hopefully not and just error on my part) in vB 2.2.1:
We have four main user groups (i.e. outside of COPA, Users Awaiting Confirmation etc.):
- Registered
- Authorized Personnel
- BTDTs
- Administrators
Now, we have three private forums:
- Authorized Personnel Only
- Team Room
- SOCNET Personnel Only
Those in user group Authorized Personnel can access the Authorized Personnly Only forum.
Those in the BTDTs user group can access both APO and the Team Room.
Admins can access all three.
But it just came to my attention that if a member in the BTDTs user group were to click on "members" in the top right corner, find an administrators name, click on the search function, they are permitted to preview the posts that appear in the SOCNET Personnel Only forum.
I checked the permissions for the forum and made sure BTDTs couldn't view the forum nor search it yet I can still perform searches and come up with previews using a test screen name set to the user group BTDTs. And while I cannot access the private SPO forum, I clearly see it listed in the forums summary when I should just be seeing Authorized Personnly Only and Team Room.
Please advise ...
We have four main user groups (i.e. outside of COPA, Users Awaiting Confirmation etc.):
- Registered
- Authorized Personnel
- BTDTs
- Administrators
Now, we have three private forums:
- Authorized Personnel Only
- Team Room
- SOCNET Personnel Only
Those in user group Authorized Personnel can access the Authorized Personnly Only forum.
Those in the BTDTs user group can access both APO and the Team Room.
Admins can access all three.
But it just came to my attention that if a member in the BTDTs user group were to click on "members" in the top right corner, find an administrators name, click on the search function, they are permitted to preview the posts that appear in the SOCNET Personnel Only forum.
I checked the permissions for the forum and made sure BTDTs couldn't view the forum nor search it yet I can still perform searches and come up with previews using a test screen name set to the user group BTDTs. And while I cannot access the private SPO forum, I clearly see it listed in the forums summary when I should just be seeing Authorized Personnly Only and Team Room.
Please advise ...
Comment