[Pushed] IP Search shows moderators thread titles even if they have no permission there.

[Monkeys]

• Detailed description of your problem, including steps to reproduce if necessary
  

Person has mod CP access. It can get the IP address of a user that has view access to a board the moderator doesn't. They go to Mod CP, IP Search and put in the IP address of the user. They will be able to see the TITLES of THREADS the user has created or posted in, even if the mod with Mod CP access doesn't have view permission on these boards.

• New installation or upgrade (from which version of MyBB)?
  

1.6

Thanks

P.S: I've temporarily commented out the "Search Posts" checkbox under IP Search, but that's not a very safe solution.

[Euan T]

Thanks for the report. I would guess this will also affect 1.6 as the code is nearly identical.

[Monkeys]

This is actually a bug I've found on 1.6 - I'm not on 1.8 yet, the upgrade scares me considering how plugin-dependent our forum experience is.

Any chances this will be fixed on 1.6 as well?

Also, considering the seriousness of the bug, any temporary quickfix you could give me to try and stop it from being exploited until then?

[Euan T]

Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/1989

Thanks for contributing to MyBB!

Regards,
The MyBB Group

[Euan T]

I guess it could be considered a security issue, so there will likely be a patch for 1.6. I haven't had a chance to look at the code, but the fix shouldn't be too hard. I'll try to get a chance to look at it tomorrow.

[Monkeys]

Hello,

This issue is still present, even in 1.8.

[Euan T]

Yes, that's why this issue is still open.