Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Facebook Sign In with Google Sign In with OpenID Sign In with Twitter

In this Discussion

Security Hole: Change Roles

I would assume it is popular to create more roles than the few defaults. I also think that if you have very many more than the defaults, then it becomes very appealing to allow moderators to change roles.

I did this to my vanilla forum, which currently does not have many members and I trust them all.

One of my moderators found that not only could he change his own role to be administrator, he could reduce mine. He changed it back, without my asking. I then saw that he did it and dissabled the feature. It is possible that another user would enable this feature and have someone find out, who won't be so co-operative.

I think a role changer could also:
  • Ban administrator(s) (ME)
  • Make anyone an admin
  • Install malware extensions
  • Change the default theme to something that renders the forum unusable
  • Insert malware javascript into the banner title
  • Change user contact info and passwords
  • Find the sql server info in application settings or use an extension to wipe the sql database
  • Find the mail server in application settings and further compromise privacy
Simply, cause all kinds of havok. Since the administrators have ftp or direct access, some things are recoverable (like the change in roles and styles). However, the distinct possibility that they would alter everything possible and try to delete everything (including the database) would be unrecoverable and devastating to a forum.

I do not know any coding .php or java aside from echo. So you guys probably know better than I do.

1- However, I propose that when the allow users to change roles option is enabled, the user can raise others levels to one below their own. They should also not have any control over users that are hierarchically above or at the same level as them.

2 - Another option would be to allow all users to see the change rolls and force them to enter notes about the role change, but make the admin should have to review them. These could possibly show up under the applicant search.

3 - If nothing else, a warning should be included near the role permission
Tagged:

Comments

Sign In or Register to comment.