[Plugin: Forum Server] Security holes – protected topics visible to anyone
I just want to inform everyone that this plugin has a few security holes if you intend to limit access to forum categories for different user groups.
Click on a topic in a forum that you have access to then change the topic id to 0 (zero) in the url (http://….viewtopic&t=0) then all topics in all forum categories are shown including those you’re not supposed to see.
In a similar way. Click a forum. Change the forum id to 0 in the url. All topics in all forums are shown.
You don’t even have to be logged in to view the topics with the methods above (if you know the url format that is)!
Click the link “Show new topics since last visit” – all topics are shown including those you’re not supposed to see.
However. Clicking a topic you should not see, results in “Sorry you don’t have access to the forum”.
PS: Anyone knows why the forums at the plugin page at vasthtml.com are broken? Can’t post there. No message field.
- The topic ‘[Plugin: Forum Server] Security holes – protected topics visible to anyone’ is closed to new replies.