Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
mavis
New Member
New Member


Joined: Feb 16, 2004
Posts: 12

PostPosted: Mon Feb 16, 2004 3:49 pm Reply with quote

We have found out that if you select all users posts, posts from two hidden forums (one moderators) can be seen by users. How can we prevent this?

The other issue is the scrolling newsblock - we want to remove our hidden forums from that too.

Please advise.
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Mon Feb 16, 2004 4:28 pm Reply with quote

If by scrolling news you mean the recent posts block, that is a customized block, and any new forums that you add into there have to be manually added to the block code, just like your other one was. If you look on line 44 you will see where forum id 20 is being blocked. You would just need to expand that from
Code:
where forum_id != '20'
to
Code:
where forum_id NOT IN('20','??')
where you replace the ?? with the forum to block.

As to your other issue, can you be more specific? What do you mean by 'select all user posts'?


Last edited by Raven on Wed Feb 18, 2004 5:09 pm; edited 1 time in total 
View user's profile Send private message
mavis
PostPosted: Mon Feb 16, 2004 4:32 pm Reply with quote

sorry we didn't set up the scroll block, you did so I'm afraid none of that made any sense to me. Embarassed

I'll get back to you on the other question, I was advised by a fellow mod about it.
 
mavis
PostPosted: Mon Feb 16, 2004 5:55 pm Reply with quote

Raven, say you are looking thru the forums and you click on a thread - if you click on a posters name, it takes you to an "all about so and so" profile type thing - in the profile it says "find all posts by" - if you click on that for any of the four of us mods - you can read all of our posts - even those that are supposed to be hidden from view in the "moderators forum"
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Mon Feb 16, 2004 7:30 pm Reply with quote

After having browsed through over 35 pages of posts i could not find any posts from forums for which i had no access and i was even logged in as Nuke admin (not forum admin)
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Tue Feb 17, 2004 10:16 am Reply with quote

Mavis, have you actually logged in using a user's name that you know does not have access (like adding a user named mavistest) and seeing what you can and can't do? We can't reproduce the error here, but it might be a flaw with your version, although we have not heard of this before.
 
mavis
PostPosted: Tue Feb 17, 2004 11:14 am Reply with quote

nope will try that now

on the first issue can you please elaborate and tell me where row 44 is and where to put the codes and how to find them etc. thanks
 
Raven
PostPosted: Tue Feb 17, 2004 11:17 am Reply with quote

in your blocks/block-block-ForumsScroll.php file.
 
mavis
PostPosted: Tue Feb 17, 2004 11:25 am Reply with quote

and is that in administration or php or ftp or control panel - you do know you are dealing with retards here don't you! Wink
 
Raven
PostPosted: Tue Feb 17, 2004 11:26 am Reply with quote

You have to ftp the file down to your pc, modify it, and then ftp it back Smile
 
mavis
PostPosted: Tue Feb 17, 2004 11:29 am Reply with quote

no posts from the unaccessible forums are visible on a test member. melanie was panicking unnecessarily!
 
Raven
PostPosted: Tue Feb 17, 2004 11:31 am Reply with quote

Evil or Very Mad Confused Rolling Eyes Wink Laughing
 
mavis
PostPosted: Tue Feb 17, 2004 11:37 am Reply with quote

OK I got the file now what the hell do I do with it LOL its scaring me!!! Shocked
 
mavis
PostPosted: Wed Feb 18, 2004 3:58 pm Reply with quote

HELP!!!!!!!!
 
Raven
PostPosted: Wed Feb 18, 2004 4:09 pm Reply with quote

I explained that in my second post above Smile
 
mavis
PostPosted: Wed Feb 18, 2004 4:22 pm Reply with quote

no you said modify it, I have no idea how to modify it thats my point lol
 
Raven
PostPosted: Wed Feb 18, 2004 4:59 pm Reply with quote

You edit the file by using cPanel or ftp'ing to your pc, modify it, then ftp it back. In my post I explain exactly what line to modify and how to modify it. The method you use is up to you. Does that help?
 
mavis
PostPosted: Wed Feb 18, 2004 5:00 pm Reply with quote

right OK luckily Minx is not as retarded as me. BUT your info was slightly out. What it should read is forum_id NOT IN (20," ")
 
Raven
PostPosted: Wed Feb 18, 2004 5:05 pm Reply with quote

Ah yes. MySQL doesn't honor the ! as NOT with the IN clause. I will correct the post.
 
mavis
PostPosted: Wed Feb 18, 2004 5:08 pm Reply with quote

Raven wrote:
You edit the file by using cPanel or ftp'ing to your pc, modify it, then ftp it back. In my post I explain exactly what line to modify and how to modify it. The method you use is up to you. Does that help?


the modifying it was the difficult bit - line 44 meant nothing to me, luckily minx helped me find it
 
mavis
PostPosted: Wed Feb 18, 2004 5:09 pm Reply with quote

Raven wrote:
Ah yes. MySQL doesn't honor the ! as NOT with the IN clause. I will correct the post.


cool I did try yours first then minx told me what hers was and I copied that and it worked Laughing
 
addy
Hangin' Around


Joined: Mar 28, 2005
Posts: 42

PostPosted: Mon Oct 17, 2005 7:37 pm Reply with quote

I'm going to bump this because I've been searching for literally hours and this is the ONLY post I've come accross with the issue I have.

I was informed that someone that is in no group can use the find all posts feature under anyone's profile to see into the restricted sections.

I upgraded to the current phpbb forum. I was 2.15 now I am 2.17. It did not fix this issue.

I do not see any similiar blocks like the one mentioned in this post. I believe it's 7.6 that I'm running after hearing about security risks on the newer versions of phpnuke. If I need to upgrade that I will happily do so.

The only mods I've added to the site is a roster - it's a gaming site and a user info block.

I might take down the forums tonight until I get this resolved. Any help would be awesome and I'll keep plugging along looking for more info about this issue.
 
View user's profile Send private message
Raven
PostPosted: Mon Oct 17, 2005 7:40 pm Reply with quote

Please post you block code so that we may better help you.
 
addy
PostPosted: Mon Oct 17, 2005 8:42 pm Reply with quote

Which block contents would you like me to post?
 
stoney
New Member
New Member


Joined: Oct 10, 2005
Posts: 20

PostPosted: Mon Oct 17, 2005 9:13 pm Reply with quote

I think what he is trying to say is that if you look at a users profile and do find all posts (like I do with you and chatserv all the time lol) that you can see posts from restricted areas that the user would not normally be able to see.
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©