Tweet
Hello vBulletin staff,
I couldn't find anywhere to reports bugs regarding to the vBulletin software, so I guess this is the best place to post it.
While I was moderating a vBulletin 4.2.2 forum, I suddenly found a security hole in the Moderator Control Panel.
You do only need to be section moderator of a vBulletin forum to be able to edit or force view announcements in any forum. I am, for example, only section moderator for one forum, Europe MapleStory, on GameKiller.net, but I was able to modify the Official Rules announcement that applied to All Forums by going to /modcp/announcement.php?do=edit&a=1. By just modifying the HTTP header, it's possible for a Moderator to edit or force view any announcement they don't have permission to view on the forums, as long as they have the ID of the announcement which they could obtain on the forums.
Just wanted to make you attentive of this security vulnerability.
Best regards, Martin Olofsson.
I couldn't find anywhere to reports bugs regarding to the vBulletin software, so I guess this is the best place to post it.
While I was moderating a vBulletin 4.2.2 forum, I suddenly found a security hole in the Moderator Control Panel.
You do only need to be section moderator of a vBulletin forum to be able to edit or force view announcements in any forum. I am, for example, only section moderator for one forum, Europe MapleStory, on GameKiller.net, but I was able to modify the Official Rules announcement that applied to All Forums by going to /modcp/announcement.php?do=edit&a=1. By just modifying the HTTP header, it's possible for a Moderator to edit or force view any announcement they don't have permission to view on the forums, as long as they have the ID of the announcement which they could obtain on the forums.
Just wanted to make you attentive of this security vulnerability.
Best regards, Martin Olofsson.
Comment