Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Security issue? Unauthenticaticated able to access search

SheilaSheila ✭✭
edited June 2009 in Vanilla 1.0 Help
Hi!

Just posted about an issue with Discussion Tags only to realize that it is same with all; if unauthenticated user is able to 'guess' the url for search page, which is in my case assumably the default one, guest can search users and get a list with them even as in roles it's been set that guests can't access the search tab. Yes, they can't access the search tab but access the actual url.
Hopefully this is fixed soon.

Comments

  • I can't reproduce the bug. 1. unset "Allow non-members to browse the forum" 2. log-out 3. go to "http://localhost/search.php" => redirected to "http://localhost/people.php" How do you trigger the bug?
  • SheilaSheila ✭✭
    edited June 2009
    Hi and thanks for the quick reply.

    Sorry if I was not clear enough, when it is set that non-members can't browse the forum, naturally they can't access the search either (afaik).

    But when I set with guests that they can browse the forum (which is preferred method since I like to provide publicly few forums, Help-page etc.), they can't access anything they are not allowed but search is still available if the url is guessed/ known where it is with Vanilla. And yes, doublechecked that in roles -> Viewable Tabs/Pages -> it is set to 'no' with search.

    Hope I haven't understood something wrong with Vanilla's logic but generally no means absolute no in access rules :D

    If this still does make no sense, whisper me and I'll set my forum public for a while and send you the url so you'll be able to test it yourself.
  • With Vanilla you can allow non-members to browse the forum or not. You can also restrict which categories a role can access, but you cannot set which tab is accessible. The security issue you mention must be related to an add-on, maybe the Page Manager add-on.
  • SheilaSheila ✭✭
    ^ Thanks for the hint.

    Tested by turning all add-ons off, checked that extensions.php is empty. Still able to access the search as a guest. Sorry, I do see this more as a minor system bug/ flaw in the role logic. Imo the day users have registered and how many posts they have and when the last visit is much more private data than the topic names board has. And this is available to guests if I don't set public browsing to no.

    Guess it's good to mention that the Vanilla board I have has it's content imported from Invision. Had to heavily modify the existing Vanilla add-on thou in order to clean all the **** IPB has, meaning snapbacks, system commets etc. and in order to be able to have old posts maintain image paths and multiquotes like they should but really can't see how that would have any effect to this.
  • You either have to let guests (un-authenticated users) find the search page or not allow them to browse any part of the forum. However they shouldn't not be able to see results for discussion in categories they don't have access to; the search page only search in categories they have access to.
  • SheilaSheila ✭✭
    edited June 2009
    Correct, guests don't see any search results for discussions in categories they are not able to attend. (Atm there's zero categories since have not been able to get a solution to hide user icons for guests). User profiles are searchable and I'm sorry but I do see it as an unlogical feature with Vanilla's privacy features. So should I request an add-on or...?

    edit: Actually, would that do the trick if I set custom url for search page with the page manager and disable the system default search url with .htaccess? Like I know how to disable default seach with .htaccess but guess it's doable.
Sign In or Register to comment.