Web Wiz Forums - Edit -> delete url change BUG

Print Page | Close Window

Edit -> delete url change BUG

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=12295
Printed Date: 11 April 2026 at 11:31am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Edit -> delete url change BUG

Posted By: Marino2
Subject: Edit -> delete url change BUG
Date Posted: 23 October 2004 at 11:20am

-boRg- wrote:

If you give a normal user permission to delete posts they can only delete their own posts and only before a reply is made to that post. Once someone has posted a reply the only person who can delete the previous post is the forum admin or a modertor.

Hello,
As you mentionned, I gave the permission to delete posts to members but I noticed that one of them could nevertheless delete his posts AFTER a reply was made !
I asked him and he told me that he just changed in the url showed, the "edit_post.asp" page with "delete_post.asp" keeping the same parameters

Example:
http://www.events-gallery.ch/forum/edit_post.asp?PID=46803&PN=0&TPN=1 - http://www.events-gallery.ch/forum/edit_post.asp?PID=46803&PN=0&TPN=1

replaced by
http://www.events-gallery.ch/forum/delete_post.asp?PID=46803&PN=0&TPN=1 - http://www.events-gallery.ch/forum/delete_post.asp?PID=46803&PN=0&TPN=1

And so he is able to delete all his old posts after a reply is made.

I use version 7.7. I've made a search in this forum before asking, but I couldn't find a post with this bug explained. In case of a post exists about it, just give me the link.

Many thanks

PS: I had a problem with my first subscription to this forum, so you could delete the user "Marino".

Replies:

Posted By: WebWiz-Bruce
Date Posted: 23 October 2004 at 2:10pm

I shall look into the problem.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: Marino2
Date Posted: 25 October 2004 at 9:46am

Thank you, because he's know sending MP's with modified links hidden behind pictures or fake links to others members and then they delete their own messages without knowing

Posted By: WebWiz-Bruce
Date Posted: 25 October 2004 at 11:01am

Then maybe it's time to suspend this persons account to prevent him from doing such things.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: Marino2
Date Posted: 25 October 2004 at 6:25pm

But one or more others could do the same in the future, the problem will exists until it is solved...

Well, for the moment I've forbidden the deletion of posts, except for mods and admins and the trick could not be used anymore.
Hope someone will do a patch for that, thanks in advance.

Cheers

Posted By: WebWiz-Bruce
Date Posted: 26 October 2004 at 5:27am

I am working on it, but as it will mean allot of work and changing of code there will not be a quick fix, so it will not be available for the present version.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: MadDog
Date Posted: 26 October 2004 at 2:04pm

For a temp fix you could set edit and delete permissions to admin only. That would make it so admins could be the only one allowed to edit or delete posts.

-------------
http://www.iportalx.net" rel="nofollow">

Posted By: ljamal
Date Posted: 26 October 2004 at 3:20pm

Try this right after line 147 in delete_post.asp
It should work, but I haven't tested it. Basically it checks to see if the threads has any posts after the user's post. If there are posts then only an admin or mod can delete the post.

Let me know if it works and I'll release it as a MOD or maybe borg will add it to correct the current release.

' LJAMAL MOD 26 OCT 2004
' CORRECTS THE ABILITY FOR USERS TO DELETE POST BY CHANGING URL
If lngDelMsgAuthorID = lngLoggedInUserID then
     Dim RSCheck
     Set RSCheck = Server.CreateObject("ADODB.Recordset")
     strSQL = "select " & strDbTable & "Thread.Thread_ID From "& strDbTable & "Thread WHERE " &_
                 strDbTable &"Thread.Topic_ID in (select "&strDbTable &"Thread.Topic_ID from " & strDbTable & "Thread where "&_
                 strDbTable & "Thread.Thread_ID =" & lngMessageID & ") and "&_
                 strDbTable &"Thread.Message_date > (select "&strDbTable &"Thread.Message_date from " & strDbTable & "Thread where "&_
                 strDbTable & "Thread.Thread_ID =" & lngMessageID & ");"

     RSCheck.Open strSQL, adoCon

     if not RSCheck.EOF then
           blnDelete = False
     end if
     RSCheck.Close
     Set RSCheck = Nothing
end if
' END MOD

This has been updated to correct the flawed code. The code above has been tested and corrects the flaw.

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming

Posted By: theSCIENTIST
Date Posted: 28 October 2004 at 4:34am

ljamal: Your attempt did not work, I have tested it, also your query syntax was erroring out, it should've been:

strSQL = "select " & strDbTable & "Thread.Thread_ID From " & strDbTable & "Thread WHERE " &_

strDbTable & "Thread.Message_date > (select " & strDbTable & "Thread.Message_date where " &_

strDbTable & "Thread.Thread_ID =" & lngMessageID & ");"

I'm also trying to fix this with a simple to use patch, will reply when done.

-------------
:: http://www.mylittlehost.com/ - www.mylittlehost.com

Posted By: theSCIENTIST
Date Posted: 28 October 2004 at 7:42am

I have cracked it :), it was not the simple patch (couple of lines of code) I wanted, but it works fine.

Again insert this code after line 147 in delete_post.asp:

'/* =================================================== */

'/* Patch by theSCIENTIST on 28 October  2004         &n bsp;  */

'/* =================================================== */

'/* This patch fixes the vulnerability in which         */

'/* a user could delete his own posts, regardless of    */

'/* wether theres replies to it or not. The Author      */

'/* can still delete the post if its the only post      */

'/* in that Topic or if its the last post in the Topic. */

'/* Admins priviledges have not been  changed.        &nbs p;  */

'/* =================================================== */



'/* If the user requesting deletion is the same as the user that posted the post to be deleted then... */

If lngDelMsgAuthorID = lngLoggedInUserID Then 



  Dim ducbRS, ducbTopic, ducbDelPostDate, ducbCount, ducbLastPostDate



  '/* This first query is only needed to determine the date of the  */

  '/* post to be deleted, and to get the Topic that post belongs to */

  Set ducbRS = Server.CreateObject("ADODB.Recordset") 



  strSQL = "SELECT " & strDbTable & "Thread.Thread_ID, " & strDbTable & "Thread.Topic_ID, " & strDbTable & "Thread.Author_ID, " & strDbTable & "Thread.Message_date "

  strSQL = strSQL & "FROM " & strDbTable & "Thread "

  strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID=" & lngMessageID & ";"



  ducbRS.Open strSQL, adoCon

  

  If Not ducbRS.EOF Then

    ducbTopic = ducbRS("Topic_ID")

    ducbDelPostDate = ducbRS("Message_date")

  End If



  '/* Close recordset */

  ducbRS.Close

  Set ducbRS = Nothing



  '/* This second query will get and count all posts belonging to the Topic in question */

  Set ducbRS = Server.CreateObject("ADODB.Recordset")



  strSQL = "SELECT " & strDbTable & "Thread.Thread_ID, " & strDbTable & "Thread.Topic_ID, " & strDbTable & "Thread.Author_ID, " & strDbTable & "Thread.Message_date "

  strSQL = strSQL & "FROM " & strDbTable & "Thread "

  strSQL = strSQL & "WHERE " & strDbTable & "Thread.Topic_ID=" & ducbTopic & ";"



  '/* Dynamic recorset because we need to ride it */

  ducbRS.CursorType = 2



  ducbRS.Open strSQL, adoCon



  '/* Do the counting */

  Do While Not ducbRS.EOF

    ducbCount = ducbCount + 1

    ducbRS.MoveNext

  Loop



  '/* If theres more than 1 post in this Topic then... */

  If ducbCount > 1 Then



    '/* Move to last post and collect its date */

    ducbRS.MoveLast

    ducbLastPostDate = ducbRS("Message_date")



    '/* If the date of the post to be deleted is older than the last post, in effect if  */

    '/* this is true then theres a new reply to the post, so dont allow delete operation */

    If ducbDelPostDate < ducbLastPostDate Then

      blnDelete = False

    End If



  End If



  '/* Close recordset */

  ducbRS.Close

  Set ducbRS = Nothing



End If

'/* =================================================== */

I had to make 2 DB calls because the Topic_ID is not passed along from the delete request, but you can change the request to include a TID and skip the first DB query if you want.

NOTE: The parsing of this post actually disrupts the code and it may add spaces to it, so if you want to see the code ready for cut and paste I have set a text file of it here:

http://www.mylittlehost.com/resources/projects/delete_bug.txt - View code

You can see in the queries that I'm requesting the Author_ID also even thou I don't use it, this was because I wanted to make it so if the same Author posts several posts and no other Author replies to it, he can delete at will, I guess I'll do this later on.

Tell me how it preforms.

-------------
:: http://www.mylittlehost.com/ - www.mylittlehost.com

Posted By: ljamal
Date Posted: 28 October 2004 at 9:42am

As I stated I hadn't ctested it. Here is the tested code that works.

' LJAMAL MOD 26 OCT 2004
' CORRECTS THE ABILITY FOR USERS TO DELETE POST BY CHANGING URL
If lngDelMsgAuthorID = lngLoggedInUserID then
     Dim RSCheck
     Set RSCheck = Server.CreateObject("ADODB.Recordset")
     strSQL = "select " & strDbTable & "Thread.Thread_ID From "& strDbTable & "Thread WHERE " &_
                  strDbTable &"Thread.Topic_ID in (select "&strDbTable &"Thread.Topic_ID from " & strDbTable & "Thread where "&_
                  strDbTable & "Thread.Thread_ID =" & lngMessageID & ") and "&_
                  strDbTable &"Thread.Message_date > (select "&strDbTable &"Thread.Message_date from " & strDbTable & "Thread where "&_
                  strDbTable & "Thread.Thread_ID =" & lngMessageID & ");"

     RSCheck.Open strSQL, adoCon

     if not RSCheck.EOF then
           blnDelete = False
     end if
     RSCheck.Close
     Set RSCheck = Nothing
end if
' END MOD

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming