Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Admin only category can easily be hacked ?

edited February 2012 in Vanilla 2.0 - 2.8

We have a forum with an admin only category. We have found that there is a serious bu in the security. Navigate to an admin account http://www.ourforum.nl/index.php?p=/profile/11/ADMINUSER then click on comments of the adminuser (http://www.ourforum.nl/index.php?p=/profile/comments/11/ADMINUSER) and then one can read the first part of the admin only category comments.

Can anyone confirm this ?

Answers

  • the word 'hacked' is bandied about a bit.

    I can confirm that you can't see a private category post through profile/comments with 2.0.18.2, when not admin, when custom permission are set so it is only Administrator.

    The thing to do is open the issue on git hub and provide steps to reproduce the issue.

    grep is your friend.

  • x00x00 MVP
    edited February 2012

    This issue has already been fixed here:

    https://github.com/vanillaforums/Garden/issues/904

    Upgrade.

    grep is your friend.

Sign In or Register to comment.