[Rejected] Suggestion to privatize hidden threads and forums by URL.
#1
There should be a way to make it impossible for a regular user to determine that a private thread does exist.
Let's say this URL takes privileged users to the moderator thread:
https://site.com/showthread.php?tid=1
With the Google SEO plugin enabled, it might make it more obvious:
https://site.com/Thread-Moderators-Thread--1
If an unprivileged user has the tid value, he will know that thread exists for a fact, but can't access it, and with the Google SEO URL function, it is clear as day.

If you were to delete that thread, a regular user attempting to access it would get a "thread does not exist" error, and thus keep trying other tid values until he finds another instance.

This is a security issue that should be looked into.
Reply
#2
...have you actually tested if unprivileged users accessing "showthread.php?tid=1" are redirected to "Thread-Moderators-Thread--1"?

Either way, that would be a vulnerability in the Google SEO plugin, not MyBB.
No longer involved in the MyBB project.
Reply
#3
This user has been denied support. This user has been denied support.
It's a setting. (Google SEO Redirect settings -> Permission Checks)
Reply
#4
(2019-12-09, 07:47 PM)frostschutz Wrote: It's a setting. (Google SEO Redirect settings -> Permission Checks)
Ah, thanks for reminding me of that option. Not sure why I never noticed it. Anyway, kindly disregard the thread. The moderators are more than welcome to delete it. Bad judgment call.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)