[Plugin: Forum Server] Security holes - protected topics visible to anyone (6 posts)

  1. johanl
    Posted 6 years ago #

    I just want to inform everyone that this plugin has a few security holes if you intend to limit access to forum categories for different user groups.

    Click on a topic in a forum that you have access to then change the topic id to 0 (zero) in the url (http://....viewtopic&t=0) then all topics in all forum categories are shown including those you're not supposed to see.

    In a similar way. Click a forum. Change the forum id to 0 in the url. All topics in all forums are shown.

    You don't even have to be logged in to view the topics with the methods above (if you know the url format that is)!

    Click the link "Show new topics since last visit" - all topics are shown including those you're not supposed to see.

    However. Clicking a topic you should not see, results in "Sorry you don't have access to the forum".


    PS: Anyone knows why the forums at the plugin page at vasthtml.com are broken? Can't post there. No message field.


  2. sahil_hasan
    Posted 6 years ago #

    kindly advise how to apply rules in forum for users

    look forward to your kind response

    Thanks and Regards

    Sahil Hassan

  3. lucidcrew
    Posted 6 years ago #

    thanks for the tip! This has been fixed in v1.4

    version 1.4 has been posted, please upgrade


  4. cartpauj
    Posted 6 years ago #

    I have picked up the project and cleaned up a TON of bugs. Enjoy!

  5. ranethor
    Posted 6 years ago #

    Not all of those issues were fixed in 1.4 - you can still see all new post topics, whether or not the poster has access to all of them. Will there be a fix for this? I've been digging in the plugin code trying to figure out where that is to see if I can come up with a php check for user level, but I'm still a beginner php programmer.

    In addition, RSS services won't recognize a feed for my site, just the forum. I asked about this on the VastHTML forum but no response so far.

    VastHTML forums appear to be down again.

    Any help would be appreciated!

  6. lucidcrew
    Posted 5 years ago #

    ForumServer 1.5 has been released and has fixed all outstanding issues, including all incompatibilities with other plugins.


    == Changelog ==
    = 1.5 =
    * Fixed bug: Incompatibility with FireStats plugin and possibly certain other plugins, the bug also could cause a lot of database errors
    * Fixed bug: Duplicating topics due to plugin incompatibility with certain plugins
    * Fixed bug: No post body inside the topic due to plugin incompatibility with certain plugins
    * Fixed bug: BBCode content inside e-mail notifications
    * Fixed bug: Closing a topic didn't work as expected
    * Fixed bug: sending e-mail notifications of your own replies when subscribed on topic
    * Fixed bug: When subscribing to replies on topic, a blank screen was showing up
    * "Unmake sticky" renamed to "Unstick" (for sticky topics)
    * Fixed bug: Unstick function now works
    * Fixed bug: search system now works
    * Improved search system, now it searches in topic titles and can search in both titles and content
    * Fixed bug: Email notifications were not sent in some cases
    * New placeholder for inserting forum into WordPress page: [forumServer] can be used instead of <!--VASTHTML-->

Topic Closed

This topic has been closed to new replies.

About this Topic