Security loophole in Forums

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
2/29/2012 10:23:42 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Security loophole in Forums

This has been observed on 2.3.7.9

We have a forum that is restricted to members of one role plus admins. Other authenticated users that are not in the permitted roles can view the member list, and from there they can "View posts" from the privileged members, and thus gain access to the private forum.

2/29/2012 10:42:09 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security loophole in Forums

This is a known limitation. We don't have a good way to filter out forums threads/posts that may be on pages protected by roles. Therefore if you have forums like that you should disable the option to browse user posts by adding this to user.config

<add key="ShowForumPostsInMemberList" value="false" />

To remove the link to user posts in the forums itself since it would also show the posts from protected pages you would also need this:

<add key="AllowUserThreadBrowsing" value="false" />

Users without permissions would get access denied if they clicked a link to a forum on a protected page, but without this setting they can see the thread/post topic. 

Hope that helps,

Joe

3/1/2012 12:24:48 PM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: Security loophole in Forums

Thanks Joe, that's just what I need.

You must sign in to post in the forums. This thread is closed to new posts.