Can anyone tell me how a user was able to gain access to an attachment that isnt accessable to a normal user ? The user was able to access it and imform me of its exact contents.
Something mybb needs to fix.
Could you please tell me the steps he did to access the attachment file, and are you running the latest version, 1.4.13?
I dunno what steps he took , he was able to tell me exactly what was inside the attachment and yes im using 1.4.13
We can't do a whole lot without knowing how it happened. Did you try asking them?
No i didnt as i dont think its something they want to share. Well, im just letting mybb know that their attachment feature is not secure.
Could you please let him do it again on another attachment? Also please check his second dairy usergroup. We can only help you if he could tell us how he managed to access the file(s).
(2010-05-30, 03:51 PM)dunlop03 Wrote: [ -> ]Well, im just letting mybb know that their attachment feature is not secure.
That's not true...
As long as you can't say where a problem is, we can't do anything.
He was just a registered user , only just signed up.
Whats not true StefanT ?
(2010-05-30, 03:53 PM)dunlop03 Wrote: [ -> ]He was just a registered user , only just signed up.
Whats no true StefanT ?
If I was you I would double check the security of your forum and check the Admin logs. Also check your MyBB directory for files that shouldn't be there and double check your Index, Global, Header, Footer, etc templates for random code.
Are you sure all the permissions are correct?? It's pretty much impossible to guess the name of an attachment file and the permissions work... we can't 'fix' anything with this level of information, there's no guarantee it's even a MyBB issue.