Security problem in forums

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
3/17/2011 10:02:33 PM
cagliostro
Gravatar
Total Posts 125
View Posts

Security problem in forums

Hello.

I have setup two forum instances. One public and one totally private for the admins. Different menus also hidden.

Today i was informed that everybody can see the TOPICS and other information of the private forums if they click to a poster's posts (below the avatar)

/UserThreads.aspx?userid=whatever

Did i make something wrong or this is a bad bad security bug ?

Thanks

 

 

3/17/2011 10:20:47 PM
cagliostro
Gravatar
Total Posts 125
View Posts

Re: Security problem in forums

The same problem exists (for logged users only, still ..) in the Profile of somebody. They can click on the users threads and see everything

/Forums/UserThreads.aspx?userid=whatever

bypassing the security settings.

 

 

3/18/2011 4:58:53 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security problem in forums

It is a known limitation of the forums. You have 2 options to deal with it.

  1. Use a separate site for private forums
  2. disable browsing of user threads by adding this to user.config <add key="AllowUserThreadBrowsing" value="false" />

 

Best,

Joe

3/18/2011 6:25:28 AM
cagliostro
Gravatar
Total Posts 125
View Posts

Re: Security problem in forums

Option #2 works ok,

 

Thanks !

You must sign in to post in the forums. This thread is closed to new posts.