MyBB Community Forums

MyBB Community Forums > Development > MyBB 1.8 Development > 1.8 Bugs and Issues > Rejected > Suggestion to privatize hidden threads and forums by URL.
Full Version: Suggestion to privatize hidden threads and forums by URL.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

rfssjz

2019-12-09, 03:36 PM
There should be a way to make it impossible for a regular user to determine that a private thread does exist.
Let's say this URL takes privileged users to the moderator thread:
https://site.com/showthread.php?tid=1
With the Google SEO plugin enabled, it might make it more obvious:
https://site.com/Thread-Moderators-Thread--1
If an unprivileged user has the tid value, he will know that thread exists for a fact, but can't access it, and with the Google SEO URL function, it is clear as day.

If you were to delete that thread, a regular user attempting to access it would get a "thread does not exist" error, and thus keep trying other tid values until he finds another instance.

This is a security issue that should be looked into.

Nathan Malcolm

2019-12-09, 03:57 PM
...have you actually tested if unprivileged users accessing "showthread.php?tid=1" are redirected to "Thread-Moderators-Thread--1"?

Either way, that would be a vulnerability in the Google SEO plugin, not MyBB.

frostschutz

2019-12-09, 07:47 PM
It's a setting. (Google SEO Redirect settings -> Permission Checks)

rfssjz

2019-12-10, 08:01 PM
(2019-12-09, 07:47 PM)frostschutz Wrote: [ -> ]It's a setting. (Google SEO Redirect settings -> Permission Checks)
Ah, thanks for reminding me of that option. Not sure why I never noticed it. Anyway, kindly disregard the thread. The moderators are more than welcome to delete it. Bad judgment call.
MyBB Community Forums > Development > MyBB 1.8 Development > 1.8 Bugs and Issues > Rejected > Suggestion to privatize hidden threads and forums by URL.