Bug Report - Modifying Announcements

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • maol3
    New Member
    • Mar 2014
    • 2
    • 4.2.X

    Bug Report - Modifying Announcements

    Hello vBulletin staff,

    I couldn't find anywhere to reports bugs regarding to the vBulletin software, so I guess this is the best place to post it.
    While I was moderating a vBulletin 4.2.2 forum, I suddenly found a security hole in the Moderator Control Panel.

    You do only need to be section moderator of a vBulletin forum to be able to edit or force view announcements in any forum. I am, for example, only section moderator for one forum, Europe MapleStory, on GameKiller.net, but I was able to modify the Official Rules announcement that applied to All Forums by going to /modcp/announcement.php?do=edit&a=1. By just modifying the HTTP header, it's possible for a Moderator to edit or force view any announcement they don't have permission to view on the forums, as long as they have the ID of the announcement which they could obtain on the forums.

    Just wanted to make you attentive of this security vulnerability.
    Best regards, Martin Olofsson.
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...