How do you propose people run their own code...?? If you have given people some way of editing files, then that's your problem, of course they can run any code they want, but that's not part of MyBB so is nothing to do with us whatsoever.
(2010-11-23, 01:35 PM)MattRogowski Wrote: [ -> ]Anybody can access a file in your file system if they know the path, doesn't matter if they're an admin or not. Someone being an admin has absolutely zero effect on access to actual files anywhere in your file system. If you give them access to edit something, then yes obviously there's a chance they can abuse it, but MyBB has no ability to enter and run PHP other than in an actual file that's already uploaded.
Well, there is an difference between executing an PHP and see the resulting HTML code, or if the actual code of the PHP is accessable, which generates the output.
Also there is .htaccess to restrict users to access an arbitrary file directly with a specific HTTP-request. For example that is what most front-controller based MVC-framworks do: only a single .php file can be executed from outside, and all other files are accessed by the front-controller file to render the output.
(2010-11-23, 01:35 PM)MattRogowski Wrote: [ -> ] (2010-11-23, 12:18 PM)sysrq Wrote: [ -> ]But can I say in the ACP which folders in the filesystem a user is able to access?
What on earth...?? How is it MyBB's job to handle what files on your server people can access?? o.O
That is what I wanted to hear. Thank you MattRogowski. I wanted to be sure that nobody is able to do bad things before I give people administrative rights, which I never met in my life.
(2010-11-23, 01:49 PM)MattRogowski Wrote: [ -> ]How do you propose people run their own code...?? If you have given people some way of editing files, then that's your problem, of course they can run any code they want, but that's not part of MyBB so is nothing to do with us whatsoever.
I only wanted to know if in the context of MyBB an administrative user is able to execute arbitrary code. But as you just, this is not possible, so I am fine with this.
The point is that usually an administrator is a person who can do good or bad thinks. And I wanted to know if an MyBB administrator is able to do arbitrary bad things, like accessing files which are not part of MyBB. Deleting subforums or ban users is another question and has nothing to do with the issue I was concerned with.
(2010-11-23, 01:54 PM)sysrq Wrote: [ -> ]like accessing files which are not part of MyBB
Yes, of course they can do that, if they already know/can guess the URL to a file or folder somewhere else in your file structure then of course they can access it via the URL, but being an administrator doesn't suddenly make them able to do this, anybody can if they know the URL, and can run whatever is in it and see whatever output it would show. You seem to be saying that once someone is an admin on a MyBB forum, they can then access everything in your entire file system.
(2010-11-23, 02:01 PM)MattRogowski Wrote: [ -> ]You seem to be saying that once someone is an admin on a MyBB forum, they can then access everything in your entire file system.
Exactly. This was my question. I have different subfolders with different software setup, for example MyBB in /forum and Mediawiki in /wii, and I want to be sure that an administrative user in MyBB is not able to access files outside of MyBB.