Security Hole: Change Roles

NeoMenlo

I would assume it is popular to create more roles than the few defaults. I also think that if you have very many more than the defaults, then it becomes very appealing to allow moderators to change roles.

I did this to my vanilla forum, which currently does not have many members and I trust them all.

One of my moderators found that not only could he change his own role to be administrator, he could reduce mine. He changed it back, without my asking. I then saw that he did it and dissabled the feature. It is possible that another user would enable this feature and have someone find out, who won't be so co-operative.

I think a role changer could also:

• Ban administrator(s) (ME)
• Make anyone an admin
• Install malware extensions
• Change the default theme to something that renders the forum unusable
• Insert malware javascript into the banner title
• Change user contact info and passwords
• Find the sql server info in application settings or use an extension to wipe the sql database
• Find the mail server in application settings and further compromise privacy

Simply, cause all kinds of havok. Since the administrators have ftp or direct access, some things are recoverable (like the change in roles and styles). However, the distinct possibility that they would alter everything possible and try to delete everything (including the database) would be unrecoverable and devastating to a forum.

I do not know any coding .php or java aside from echo. So you guys probably know better than I do.

1- However, I propose that when the allow users to change roles option is enabled, the user can raise others levels to one below their own. They should also not have any control over users that are hierarchically above or at the same level as them.

2 - Another option would be to allow all users to see the change rolls and force them to enter notes about the role change, but make the admin should have to review them. These could possibly show up under the applicant search.

3 - If nothing else, a warning should be included near the role permission

Minisweeper

Can I just check, on the roles settings page, where you have the drag&droppable list of roles, is the 'moderator' (or whatever) role higher up than the 'administrator' (or whatever) role? I believe by default it would create it lower down, but (i believe) vanilla understands that roles lower down the list are more powerful than roles higher up the list, and therefore this behaviour shouldnt exist. I hope that makes sense, check it out and let us know.

u2wedge

might I add that this seems completely backwards... those on the bottom of the totem pole typically have the least power and those at the top have the most. Should this be weighted differently if that is how it is currently calibrated?

Minisweeper

Well it depends how you think about it really...once you work on the basis that 'unauthenticated' starts at the top and 'master administrator' starts at the bottom you can pretty quickly orientate yourself...i see what you mean though.

NeoMenlo

My roles go like this:

Administrator
Moderator
Inventor
Member
Rookie
Unauthenticated
Banned

It was like that in the beggining?
I never really thought about it, but I guess maybe they were.
Thats still extremely confusing, even if I were to see it like that as the default now, I would still have doubts.

Aside from that, does it even make a difference?

Minisweeper

Try swapping the order of the list completely so it runs banned through to administrator. I think you'll find it solves your problem perfectly.

NeoMenlo

For those of you who want to see the Role History of my administrative account, visit:
http://www.neomenlo.org/forum/account.php

y2kbg

actually I saw the role "Inventor" and "Menlo" in you name and was interested in the content or your forum.

NeoMenlo

By the way, thanks for adding me to your gmail. I actually found out that i'm not the only one who's got problems with the extension. I made a discussion a day ago. So far, one guy has responded and said it didn't work either. His results were much more severe than mine. His forum broke. I just cant get my IP history's to display where they should. I was actually around here back when everything was pre 1.0, which is when the IPhistory 1.0 worked.

Minisweeper

IP History seems to work fine on this forum..?

[-Stash-]

IP History works fine for me on 1.0.3...

Mark

It's not *really* a security hole. If you allow someone to change people's roles, then that person has the ability to change people's roles - any person into any role. The permission isn't, "Allow people to alter roles less powerful than the one they're in". I didn't want to get into a semantic debate, so I left it as straightforward as possible. A person with the ability to change roles can do exactly that.

If you guys want to change the roles to be "weighted" and have importance based on their order in the list - that's something I'm open to. I've kind of been waiting for this discussion to pop up, and I'm surprised it took this long!

Max_B

In fact, I saw when writing the CategoryRoles extension that roles are given a rank number, based on the order in that list. This "weight" is not used by Vanilla core but I use it in the extension.

Good to see you are back aboard Mark.

headcase

My roles go like this:

Administrator
Moderator
Inventor
Member
Rookie
Unauthenticated
Banned

It was like that in the beggining?
I never really thought about it, but I guess maybe they were.
Thats still extremely confusing, even if I were to see it like that as the default now, I would still have doubts.

Aside from that, does it even make a difference?

How do you do that add roles.

Lincoln

@headcase This is a discussion re: Vanilla 1 from 2007.

You can add roles in Vanilla 2 thru the Dashboard under Users -> Roles & Permissions.