Web Wiz Support and Community Forums : ’Move posts’ security bug

Web Wiz Support and Community Forums : ’Move posts’ security bug https://forums.webwiz.net/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Mon, 13 Apr 2026 21:12:59 +0000 Sat, 13 Aug 2005 01:40:30 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.08 360 https://forums.webwiz.net/RSS_post_feed.asp?TID=13879 <![CDATA[Web Wiz Support and Community Forums]]> https://forums.webwiz.net/forum_images/web_wiz_forums.png https://forums.webwiz.net/ <![CDATA[’Move posts’ security bug : I have similar problem as pedalcars,...]]> https://forums.webwiz.net/move-posts-security-bug_topic13879_post88693.html#88693 Author: mantey
Subject: 13879
Posted: 13 August 2005 at 1:40am

I have similar problem as pedalcars, but I don't care if some moderator move the topic from his forum to the forum which is not normaly visible to him. I just don't want the moderator can see the list of topics in the hidden forum.

Maybe it would be nice to prevent only the possibility of moderator to view the topics of hidden forum when using the move post option. For example. If moderator choose the hidden forum (hidden to him) into which he want to put some message from "his" forum, then in page move_post_form_to.asp the list of all the topics in hidden forum will not be shown, and he will have the possibility only to make a new topic.

Is there any mod to make that possible.

]]> Sat, 13 Aug 2005 01:40:30 +0000 https://forums.webwiz.net/move-posts-security-bug_topic13879_post88693.html#88693 <![CDATA[’Move posts’ security bug : -boRg- wrote:The moving of...]]> https://forums.webwiz.net/move-posts-security-bug_topic13879_post76625.html#76625 Author: pedalcars
Subject: 13879
Posted: 18 February 2005 at 8:38am

-boRg- wrote:

The moving of posts by moderators between forums allows moderators to move posts to forums they are not moderators in

That's fine - but moving a post to a forum for which a person isn't a moderator is not the problem (I can see why that could be useful), it's that a moderator can move a post into a forum that normally he cannot see or access.

I accept it would reduce performance (slightly), but if, for example, the drop-down list of destinations to move a post to was filtered as the forum default page is, to only display the forums to which the moderator has (at least read) access, that would do.

Certainly in our case, it's highly unlikely that anyone will have access to two areas *and* that the moderator of one will be completely excluded from the other.

Maybe other users will have different opinions.]]> Fri, 18 Feb 2005 08:38:21 +0000 https://forums.webwiz.net/move-posts-security-bug_topic13879_post76625.html#76625 <![CDATA[’Move posts’ security bug : This isn't so much a case...]]> https://forums.webwiz.net/move-posts-security-bug_topic13879_post76622.html#76622 Author: WebWiz-Bruce
Subject: 13879
Posted: 18 February 2005 at 8:21am

This isn't so much a case of security but one of security verses functionality.

The moving of posts by moderators between forums allows moderators tomove posts to forums they are not moderators in, which in many cases isuseful and a required function.

So this should more be a question of would people like to keep thislevel of functionality in the next version, or would they like to havetighter security restricting moderators from moving posts to forums theyare not moderators in?
]]> Fri, 18 Feb 2005 08:21:36 +0000 https://forums.webwiz.net/move-posts-security-bug_topic13879_post76622.html#76622 <![CDATA[’Move posts’ security bug : I've searched for this and...]]> https://forums.webwiz.net/move-posts-security-bug_topic13879_post76619.html#76619 Author: pedalcars
Subject: 13879
Posted: 18 February 2005 at 8:10am

I've searched for this and can't find reference for any wwf version. I tested and verified it in WWF 7.9.

Our forum has a number of private areas for different teams. Each team area has a moderator, obviously; also each area is set to be invisible to users without access rights (although topic titles still appear under active topics).

One team moderator has noticed that he can "move" posts.

He also noticed that when doing so, ALL forums are listed including all the hidden forums which normally he can't see.

He can then successfully move a topic into another team's forum.

At that point he cannot see the topic any longer, as it's in a forum he doesn't have permission to see or enter.

This has two implications:

Firstly, it is possible (as his proof of concept did) to insert messages into someone else's private forum.

Secondly, it is possible that one could accidentally move an entire (confidential) topic into a rival team's forum, after which one cannot read it or remove it while the rival team can.]]> Fri, 18 Feb 2005 08:10:54 +0000 https://forums.webwiz.net/move-posts-security-bug_topic13879_post76619.html#76619