vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=201286

Valter 31 Mar 2009 00:16

Quote:

Originally Posted by Sweeks (Post 1780442)
There is some form of security bug in this which allows even a guest to use it. If I could PM you I would let you experience the flaw as I dont wish to post it publically.

Now unless there is something wrong with how I have set this up then there definitely is a problem. The only users I have allowed to use this is two admin accounts, I dont understand how guests could use it.

Have you checked your ModLog for this product entries?

Feel free to report product to forum Staff so they can check it and move it to "Mod Graveyard" if they find such bug. Noone reported such issue before.

Check your settings and ensure that proper user IDs are added to the list of Admins. IDs should be separated with commas.

nascartr 31 Mar 2009 15:24

I tested with a regular member and a guest, I don't have the problem.

Sweeks 31 Mar 2009 19:25

There is no logs at all of the activity as it is a guest able to do this. All user ID's have been correct too. @ Nascartr, I have tested it myself on a friends board without the same problem. I am sure this wasnt possible on our board until lately. Could it be anything to do with not using the default memberinfo template?
________
FAMILY GUY DICUSSION

Wifey 01 Apr 2009 21:19

I got a vbulletin error page when I tried to log in to an account on my site. I went back to the main page and it was gone, and I was logged in as myself but it was telling me I was logged in as someone else. I haven't even opened this site yet and have maybe 4 other hacks total installed. Any idea?

Great hack, by the way -- I had it on my last board and it was very useful with helping out a user on their account without having them change their password to something generic and then changing it back.

Valter 01 Apr 2009 21:59

Quote:

Originally Posted by Sweeks (Post 1781228)
Could it be anything to do with not using the default memberinfo template?

Nope. Even if you give them direct link to loginasuser script they will not be able to do that.
Quote:

Originally Posted by Wifey (Post 1781967)
I got a vbulletin error page when I tried to log in to an account on my site.

What error?

Try to clear forum cookies, then re-log-in to your account, then try to log-in as user.

padfoot007 02 Apr 2009 05:25

DUDE...omg this is one of the most amazing and freaky plugin ever...<3 u

Sweeks 03 Apr 2009 16:55

Youve said this is impossible, well how come it is doing this on our board as a guest even after installing the plugin again?

[removed the link ;)] is exactly what can be used on our forum for some reason with this modification enabled. That is without link on profiles etc and only allowed for myself to use it in the options for this.
________
Mercedes-Benz W125 History

Sweeks 03 Apr 2009 17:00

Got it at last! This modification is not to blame and I apologise Cyb, I have just figured it out! Another mod is allowing this security risk to be open in conflict which I am reporting.
________
Mflb vaporizer

Sweeks 03 Apr 2009 17:37

Actually I take that back, it is still doing the same thing.

I have tested the flaw in IE8 but it doesnt work and only seems to work in FF. I have disabled all the modifications using usergroups and still get this problem. Also, our guest count drops to zero guests as soon as I attempt the trick, it resets our guests somehow.
________
Vaporizer Information

Brother Malachi 08 Apr 2009 22:49

I didn't realize the logging was on by default and have now disabled it, but is there a way to get rid of the logs that are already in the database?

Phobos49 09 Apr 2009 07:41

Quote:

Originally Posted by Sweeks (Post 1783114)
Youve said this is impossible, well how come it is doing this on our board as a guest even after installing the plugin again?

is exactly what can be used on our forum for some reason with this modification enabled. That is without link on profiles etc and only allowed for myself to use it in the options for this.

Damn, he is right!!!! :eek::eek::eek::eek:

With this link I am able to login into any account at my forum I want to! Even wihthout being even logged in before!!!

How is this possible?!?!?! DANGEROUS!!!!!!

Brother Malachi 09 Apr 2009 07:48

Sweeks, edit that link out.

Brother Malachi 09 Apr 2009 07:53

And of course Cybernetec doesn't accept PMs. Unless he takes a look at the above within a day I'm going to PM one of the mods and have them move this to the mod graveyard.

Phobos49 09 Apr 2009 08:08

I just edited my Quote so that the URL disappears.

Well, I'm a bit shocked... I never thought, that an AddOn could do things like that! :eek::(

Brother Malachi 09 Apr 2009 08:10

I PMed an admin to remove the other URL too.


All times are GMT. The time now is 07:33.

Powered by vBulletin® Version 3.8.14
Copyright © 2021, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.