Web Wiz Forums - Security Hole, Bad DB?

Print Page | Close Window

Security Hole, Bad DB?

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=961
Printed Date: 30 March 2026 at 2:26am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Security Hole, Bad DB?

Posted By: Mikeap
Subject: Security Hole, Bad DB?
Date Posted: 12 March 2003 at 1:12pm

On Sunday night I used the translator to upgrade my old634.mdb to the new 7 version.

My forum is now locked because if a user, in the lowest group, logs into the site, he can click on anyones profile, then he sees the EDIT PROFILE button and can then edit that persons profile.

I've duplicated the problem over and over again. No matter what my user access group is I can do it. Obviously Admin's and Moderator's should be able to but EVERYONE can do it. Potentially the problem is not that great for me because it's just a profile, BUT, the person can then change their own access level like if they were admins, giving themself access to our private forums.

Is this 7 problem or database problem?

Replies:

Posted By: Mikeap
Date Posted: 12 March 2003 at 1:13pm

Also, I just registered for this forum mere seconds ago, it said that I would get the e-mail in 15 minutes validating/registering my account ... yet I posted this seconds after?

Posted By: michael
Date Posted: 12 March 2003 at 1:57pm

I am not sure what upgrade tool you used for your database but I did not encounter that problem with str8dogs which I used. Remember, it is still all beta so a security issue should have no impact at this time as we are just testing...

Posted By: Mikeap
Date Posted: 12 March 2003 at 2:00pm

I used the tool that was on this site.

I think what happened was the usersnames become corrupt and everyone was a Moderator but were showing as just basic members. What I ended up doing was deleting all permissions, forums and users and recreated them all.

It seems to be fine now but maybe you could implement something that would allow you to globally set user permissions.

As well, on the forum permissions, the generic permissions often do not show what you really want as generic, even if you put settings on every group.

Posted By: Mikeap
Date Posted: 12 March 2003 at 2:02pm

Through all of this, this is the greatest and most feature rich forum out there. Whether it be in PHP, ASP, whatever, this forum is great. I would pay for the non-boxed version if I had too. I looked into all the ASP boards out there and I even installed a couple for testing but non compared to this one. The admin (control panel) is the most easiest to use, great tool.

Thank you guys for your tremendous work and time that you have put into this amazing tool.

Posted By: WebWiz-Bruce
Date Posted: 12 March 2003 at 5:57pm

Upgrading is always tricky and as upgarde tools are written by thrid parties there will always be such problems, a fresh install should be fine and as the v7 is only in beta I haven't even looked at or tested any upgarde tools myself, so upgrading will be hit and miss.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: Nigelo
Date Posted: 13 March 2003 at 8:16am

If the Database "Migrator" (downloadable from WWF) had been used, Users with Moderator status on 6.34 would also have same status on v7 - no more, no less. There is no way that all Users would have been set to Moderator unless either old or new DB was already corrupt, in which case anything could have happened.

If in doubt, run a Compact / Repair on both old and new DBs before running the Migrator App.

Hope this helps
Nigel