’Move posts’ security bug
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=13879
Printed Date: 13 April 2026 at 9:11pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: ’Move posts’ security bug
Posted By: pedalcars
Subject: ’Move posts’ security bug
Date Posted: 18 February 2005 at 8:10am
|
I've searched for this and can't find reference for any wwf version. I tested and verified it in WWF 7.9.
Our forum has a number of private areas for different teams. Each team area has a moderator, obviously; also each area is set to be invisible to users without access rights (although topic titles still appear under active topics). One team moderator has noticed that he can "move" posts. He also noticed that when doing so, ALL forums are listed including all the hidden forums which normally he can't see. He can then successfully move a topic into another team's forum. At that point he cannot see the topic any longer, as it's in a forum he doesn't have permission to see or enter. This has two implications: Firstly, it is possible (as his proof of concept did) to insert messages into someone else's private forum. Secondly, it is possible that one could accidentally move an entire (confidential) topic into a rival team's forum, after which one cannot read it or remove it while the rival team can. ------------- http://www.pedalcars.info/ - www.pedalcars.info The most fun on four wheels 
|
Replies:
Posted By: WebWiz-Bruce
Date Posted: 18 February 2005 at 8:21am
|
This isn't so much a case of security but one of security verses functionality. The moving of posts by moderators between forums allows moderators to move posts to forums they are not moderators in, which in many cases is useful and a required function. So this should more be a question of would people like to keep this level of functionality in the next version, or would they like to have tighter security restricting moderators from moving posts to forums they are not moderators in? ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: pedalcars
Date Posted: 18 February 2005 at 8:38am
That's fine - but moving a post to a forum for which a person isn't a moderator is not the problem (I can see why that could be useful), it's that a moderator can move a post into a forum that normally he cannot see or access. I accept it would reduce performance (slightly), but if, for example, the drop-down list of destinations to move a post to was filtered as the forum default page is, to only display the forums to which the moderator has (at least read) access, that would do. Certainly in our case, it's highly unlikely that anyone will have access to two areas *and* that the moderator of one will be completely excluded from the other. Maybe other users will have different opinions. ------------- http://www.pedalcars.info/ - www.pedalcars.info The most fun on four wheels
|
-boRg- wrote:Posted By: mantey
Date Posted: 13 August 2005 at 1:40am
|
I have similar problem as pedalcars, but I don't care if some moderator move the topic from his forum to the forum which is not normaly visible to him. I just don't want the moderator can see the list of topics in the hidden forum.
Maybe it would be nice to prevent only the possibility of moderator to view the topics of hidden forum when using the move post option. For example. If moderator choose the hidden forum (hidden to him) into which he want to put some message from "his" forum, then in page move_post_form_to.asp the list of all the topics in hidden forum will not be shown, and he will have the possibility only to make a new topic.
Is there any mod to make that possible.
|