MyBB Community Forums - Is this a security flaw? Or just misconfiguration?

Pages: 1 2

I setup a forum. With add-on installed, where guest can't view threads.
Other than that, I set manual permissions to categories and forums where guests and awaiting activation users have no access or limited access. Only registered members can view all threads, as set to the permission....

Now I discovered about portal. When I open up portal, all of my custom permissions became useless. Via portal, all is visible. All posts, all categories, all forums, can be viewed via portal. What I did? I deleted portal.php and add a redirection to my .htaccess that redirects any non existing page to main forum. If someone tries to access portal.php, which does not exist, it redirects to the main forum.

I thought that was enough...

Now I discovered about RSS Syndication. This time, it's just like portal.php where all posts, on protected categories and forums are visible. My custom permission settings is useless if users try to view via RSS syndication. Everything is there. Regardless of permission, everything is visible.

Is this a security flaw? Or just misconfiguration?

RSS is because you are logged in; logout to see the permissions take effect. I don't know about the portal since I never use it.

Still the same. Logged in or not, I can see all the posts on all categories and forums. If I set it to syndicate 100, then it will display 100 posts with all details or content in it.

As with portal, try to open it in your link. yourlink.com/portal.php
I think portal is enabled by default. I just didn't know that it was until I've read it in this forum.

As of now, I have no other option but to rename syndication.php to something else just to make sure that no one gets to view the threads without being a registered user. This way, if someone access syndication.php, it redirects it to my main forum as this was set in my .htaccess.

Other than that, I removed the RSS Syndication link in footer.php.

This should not be the case. Permissions are ineffective via portal and syndication.

I wonder if there are any other links like portal and syndication that bypasses the security of my forum, where everyone, registered or not can view my forums, bypassing the permissions set within my forum.

Either your permissions are wrong or you are still logged in. You can't see our internal posts here, right? Wink

(2011-06-10, 04:54 AM)StefanT Wrote: [ -> ]Either your permissions are wrong or you are still logged in. You can't see our internal posts here, right?

Logged in or not, I can see my posts via portal and syndication (RSS feeds).
It's only effective on forum, index.php. Guest and awaiting user can't see or read threads on forum.
But via portal, posts are displayed on portal.php.
Via RSS Syndication, posts on all categories and forums are also displayed.

As of now, I removed both portal.php and syndication.php on my forum. It's just like a backdoor to see what's inside my forum without registering.

I will restore portal.php and syndication.php for you to see what I mean.

Then you haven't set the permissions properly... Can you please post a link to your forum?

Here's the link of the forum:

****links removed****

Try to explore the forum as Guest (not registered). There you'll see that guest can see the thread titles but can't view them. This is what I wanted. Guest can't view the threads.

Now, go to:
****links removed****/portal.php

And you'll see that portal.php is showing up my threads.

Now, go to:
****links removed****/syndication.php

And you'll see that it's also showing all of my threads/posts.
Which makes my permissions on forum useless.

(2011-06-10, 06:43 AM)KenWeiLL Wrote: [ -> ]Guest can't view the threads.

It this a plugin?

Yup. It is.

Then it's a problem of this plugin, not of MyBB... Wink

Pages: 1 2