Information leak
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=6108
Printed Date: 03 April 2026 at 11:30am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Information leak
Posted By: ilnar
Subject: Information leak
Date Posted: 02 October 2003 at 5:09am
|
sorry for my english.
Finded in webwiz forum v 7.01 If i hide forum for no permission users, forum is hided. But i can get hided forums list in active_topics.asp - select active topics since month - i view list of hided forums and topics in these forums. Why? I think, what is Information leak in forum. |
Replies:
Posted By: WebWiz-Bruce
Date Posted: 02 October 2003 at 5:56am
|
This is not a bug but done by design to improve performance. This has also bee bought up many times before if you do a search of the forum. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: b_bonnett
Date Posted: 03 October 2003 at 2:07am
|
I think there is also a mod for this in the Mod's Forum... Blair ------------- Webmaster, http://www.planegallery.net/ - The Plane Gallery Greetings From Christchurch |
Posted By: fernan82
Date Posted: 03 October 2003 at 2:13am
|
Also in the last topic about this ljamal posted a query you can use that I think it should not cause a performance hit as if you would call the permissions function for every topic.... I've haven't yet seen the mod tho and I don't know how it works but I think ljamal's idea is the best way to fix this... ------------- FeRnAN http://www.danasoft.com/"> 
|
Posted By: ilnar
Date Posted: 03 October 2003 at 2:23am
|
i disagree with design to improve performance.
Reasons: 1. if i hide several forum for user -> set of unhidded forums became less when before -> it is more comfortable for SELECT operation to database. 2. don't safe performance to reach the security |
Posted By: WebWiz-Bruce
Date Posted: 03 October 2003 at 2:33am
|
At the present time it will be left as it is becuase the query to get
it to run sucessfully was so long and had so many subquries it ment
that if you had over around 50 posts in your forum the page took almost
a minute to load. The query in the post that fernan82 mentions that doesn't decrease performance only works if you have values entered into the permissions table for that forum otherwise the query completly fails to return any results, it also over looks the generic forum permisions and also over looks any permisions on that forum for that perticular user and so doesn't work very well. Incase you still want to try this query it's in a post at:- http://forums.webwiz.net/forum_posts.asp?TID=2165 But beaware that you need to enter group permisions for each forum and it will over look generic and user permisions. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: ljamal
Date Posted: 03 October 2003 at 11:16am
|
The query I built (see http://forums.webwiz.net/forum_posts.asp?TID=5751 - http://forums.webwiz.net/forum_posts.asp?TID=5751 ) using a stored procedure can return 50 rows and render the page in 1 second or less and could be ported to a simple Access query.
It checks generic permissions on the forum as well as user and group specific permissions. I believe -borg- confused my post with Zamal's. If any one is interested in having a mod created for this, I will consider doing it, but I'm currently in the midst of 4 different projects all due by mid November so it may take some time. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Posted By: WebWiz-Bruce
Date Posted: 03 October 2003 at 11:38am
|
I shall have a look at the stored procedure that you mention.
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: WebWiz-Bruce
Date Posted: 03 October 2003 at 12:44pm
|
I tried your Stored prcedure and got the following error:- Microsoft OLE DB Provider for SQL Server (0x80040E21) Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: ljamal
Date Posted: 03 October 2003 at 12:58pm
|
You will need change tblAuthorA to tblAuthor and pass a date to the stored procedure.
If you have problems beyond those changes, run the query in the Query Analyzer rather than via ASP script and PM the results. I run a highly modified version of WWF, so I wouldn't expect you to just plug in the stored procedure and have it work flawlessly, but it should be a strong base for you to work with. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Posted By: ilnar
Date Posted: 04 October 2003 at 1:04am
|
Hello
i just fixed: active_topics.asp, line 257 If strDatabaseType = "SQLServer" Then strSQL = "EXECUTE " & strDbProc & "ActiveToipcs @dblActiveFrom = " & dblActiveFrom Else strSQL = "SELECT " & strDbTable & "Forum.Forum_name, " & strDbTable & "Forum.Password, " & strDbTable & "Forum.Forum_code, " & strDbTable & "Forum.[Read], " & strDbTable & "Topic.* " strSQL = strSQL & "FROM " & strDbTable & "Category, " & strDbTable & "Forum, " & strDbTable & "Topic " strSQL = strSQL & "WHERE ((" & strDbTable & "Category.Cat_ID = " & strDbTable & "Forum.Cat_ID AND " & strDbTable & "Forum.Forum_ID = " & strDbTable & "Topic.Forum_ID) AND (" & strDbTable & "Forum.[Read] = True) AND (" & strDbTable & "Topic.Last_entry_date > " & strDatabaseDateFunction & " - " & dblActiveFrom & ")) " strSQL = strSQL & " AND (tblForum.[Read] = 1 OR (tblTopic.Forum_ID in (select Forum_ID from tblPermissions where Author_ID=" & lngLoggedInUserID & "or Group_ID = " & intGroupID & "and [Read]=1)))" strSQL = strSQL & "ORDER BY " & strDbTable & "Category.Cat_order ASC, " & strDbTable & "Forum.Forum_Order ASC, " & strDbTable & "Topic.Last_entry_date DESC;" End If all hided forums topics hided now !!! :) thanx for idea to LJamal |
Posted By: ilnar
Date Posted: 04 October 2003 at 1:37am
|
sorry for defect in my added code, right code (bolded) strSQL = strSQL & " AND (tblForum.[Hide] = False OR (tblTopic.Forum_ID in (select Forum_ID from tblPermissions where (Author_ID=" & lngLoggedInUserID & " or Group_ID=" & intGroupID & ") and [Read]=True)))" also in previous forum coding style - with " & strDbTable & ": strSQL = strSQL & " AND (" & strDbTable & "Forum.[Hide] = False OR (" & strDbTable & "Topic.Forum_ID in (select Forum_ID from " & strDbTable & "Permissions where (Author_ID=" & lngLoggedInUserID & " or Group_ID=" & intGroupID & ") and [Read]=True)))" |
ilnar wrote:Posted By: ilnar
Date Posted: 04 October 2003 at 2:10am
|
Access performance result: 0,2656 - with permissions checking added code 0,2500 - with permissions checking added code, refresh request 0,2656 - without checking code 0,2344 - without checking code, refresh request statistics: 9 forums, 38 permission rules, 11 members, 12 groups, 76 threads, 36 topics |
Posted By: ilnar
Date Posted: 04 October 2003 at 3:49am
|
it's for admins or moderator, where we have all permissions for forums
for guest:
|
Posted By: ljamal
Date Posted: 04 October 2003 at 6:00am
|
See my original thread for a new suggestion. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Posted By: WebWiz-Bruce
Date Posted: 05 October 2003 at 8:23am
I've been looking into your SQL query for the Access version and did
find a few problems if there was nothing in the permissions table for
that group and the forum was only available to registered users or just
the admin. But I came up with the following:-
Not quite sure though how I'm going to port this across to a stored procedure for the SQL server version. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: ilnar
Date Posted: 06 October 2003 at 12:11am
|
Why Forum.[Read]? What means this column/attribut? |
Posted By: ilnar
Date Posted: 06 October 2003 at 12:34am
|
Thanx for your help, your code is good. |
