Hi! I want to Purchase license of your forum. Can I  expect, that if in web wiz forum were found security holes, you would operatively eliminate it? (for example, http://forums.webwiz.net/forum_posts.asp?TID=2271 - http://forums.webwiz.net/forum_posts.asp?TID=2271

 – is still work).

Hi again!

new bug:

When I post replay message with mode=quote, forum does not check permission on forum == i can post and read message in any forum!

Hi.

Solution for security hole in post_message_form.asp:

1. ..................
If strMode = "quote" Then
'#####################   Changes: check permission to topic
'Query the database
rsCommon.Open strSQL, adoCon
   If NOT rsCommon.EOF Then    
'##################### ...
        'Get the number this thread is after
        intTotalNumOfThreads = Request.QueryString("NOP")
       
        'Get the return thread page
        intRecordPositionPageNum = Request.QueryString("TPN")

        'Get the message from the database
       
        'Initialise the sql query to get the thread details to be quoted
        strSQL = "SELECT " & strDbTable & "Author.Author_ID, " & strDbTable & "Author.Username, " & strDbTable & "Thread.Message "
        strSQL = strSQL & "FROM " & strDbTable & "Thread INNER JOIN " & strDbTable & "Author ON " & strDbTable & "Thread.Author_ID = " & strDbTable & "Author.Author_ID "
        strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID = " & CLng(Request.QueryString("PID"))
'######################### Changes - close database connection

'Reset server object
rsCommon.Close
.........
END IF