IntegraMOD

"computerskillz";p="6747" wrote:in Integramod 1.4, If you have a forum configured as a link redirection, then any anonymous person can make a thread in that forum simply by launching the posting URL and that forum ID EVEN if the forum is visible only to registered users. All the person needs is the forum ID.

For example if your Link Redirect Forum ID is 29, an anonymous person can simply enter......

http://www.yourdomain.com/posting.php?mode=newtopic&f=29

This should be fixed as soon as possible.

<img>

Has anyone came up with a solution for this security hole? Every now & then the Russians like to post their porn advertisements on my site via this security hole.

If you have a forum configured as a link redirection

?
More info?

This is a permission problem.
Link foruns are created, but have simplified permissions.
IIRC, it was possible to set its permissions on the Forum Admin > Permissions area. It isn't possible to do that anymore, as the link forum do not appear as a forum in the permissions drop down menu.

One way to solve this is to change the permissions of the link forum directly on the db. To do that you'll have to use phpmyadmin or any other tool of the sort. You should edit auth_post, auth_edit and auth_reply to 1 (I believe that's the value to registered, check other foruns values on your db to confirm that).

I remember having that trouble once, but I believe I was able to solve it using the permission area. I went there today and I wasn't able to do that. I'll try to remember what I did the last time, but for now, phpmyadmin will do the trick.

I agree, the GUI for link redirect forums gives you overly simplified permissions administration.

"Michaelo";p="15102" wrote:

If you have a forum configured as a link redirection

?
More info?

I will PM you.

"Pggar";p="15104" wrote:This is a permission problem.
Link foruns are created, but have simplified permissions.
IIRC, it was possible to set its permissions on the Forum Admin > Permissions area. It isn't possible to do that anymore, as the link forum do not appear as a forum in the permissions drop down menu.

One way to solve this is to change the permissions of the link forum directly on the db. To do that you'll have to use phpmyadmin or any other tool of the sort. You should edit auth_post, auth_edit and auth_reply to 1 (I believe that's the value to registered, check other foruns values on your db to confirm that).

I remember having that trouble once, but I believe I was able to solve it using the permission area. I went there today and I wasn't able to do that. I'll try to remember what I did the last time, but for now, phpmyadmin will do the trick.

Thanks for the suggestion but its more of a band-aid than a solution. If I do what you suggest then guests will not be able to view/use the redirects and I dont want that. I'm looking for a solution that allows guests to view/use redirects as they should be able to but without a security hole that allows them to make a post.

On a side note, you can edit redirect permissions in "ACP/Forum Admin/Management +". Choices are All, Reg, Private, Mod, Admin. If you choose private you then configure it in "ACP/Group Admin/Permissions".

"Pggar";p="15104" wrote:You should edit auth_post, auth_edit and auth_reply to 1 (I believe that's the value to registered, check other foruns values on your db to confirm that).

The solution allows guests to view/use redirects, they won't be able to post.

BTW, those fields are located on the table phpbb_forums.

"Pggar";p="15121" wrote:

"Pggar";p="15104" wrote:You should edit auth_post, auth_edit and auth_reply to 1 (I believe that's the value to registered, check other foruns values on your db to confirm that).

The solution allows guests to view/use redirects, they won't be able to post.

BTW, those fields are located on the table phpbb_forums.

Ok thanks, sorry for the mis-understanding and I will give it a shot.

I have given Solomon a fix be it not ideal it will do until I have time to add some additional code that will automatically check if a forum is a redirect...

Everyone with a redirected forum link should add this.

Edit posting.php adding the code belowà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Note replace X, XX in the code with the forum ID's of your redirect forum.
The code below tests for two redirected forums edit to suit...

Code: Select all

   FIND]);}    

Mike

"Michaelo";p="15159" wrote:I have given Solomon a fix be it not ideal it will do until I have time to add some additional code that will automatically check if a forum is a redirect...

Everyone with a redirected forum link should add this.

Edit posting.php adding the code belowà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Note replace X, XX in the code with the forum ID's of your redirect forum.
The code below tests for two redirected forums edit to suit...

Code: Select all

   FIND]);}    

Mike

I haven't applied this yet because I have 50+ redirects and this would take a long time to complete.