One of our members just stumbled over a security hole in the search function yesterday.
He was searching for information about one of our special ranks that you have to pay for to get access to special login info located in boards only visible to that rank. However, by putting that word in the search box, it gave him access to the threads with that info in them that were in the restricted board.
Thus, before displaying results, the search engine needs to look at the rank of the searcher and the permissions of the boards it is presenting search results for before displaying any results.
We are running SMF 1.1.1 and this isn't something I saw as a bugfix for 1.1.2
I shall report this. Thanks - I can't confirm it as I haven't tested it but I will report it.
I've seen this reported a few times before, but I'm unable to recreate the behaviour on any of my installs...
http://www.simplemachines.org/community/index.php?topic=88762.0
http://www.simplemachines.org/community/index.php?topic=116008.0
I have gone ahead and posted it for the dev team to take a peek at. It is far beyond my comprehension.
Thank you :) Something odd that my techies on the site have confirmed, this only happens for people who's memberships were created while we were using 1.0.5, memberships created after we upgraded to 1.1.1 cannot do this.
So basically it was a security hole back in 1.0.5, maybe the newest version should include a way to recode the users permissions.
I can confirm it happens in 1.1.2 with even users created after upgrading to 1.1.x as it happens with anonymous visitors too. Just go to profile of any user and click the link to view all posts. It will list posts in sections that are restricted to only logged-in users.
Do one of you mind sharing the differences between your servers and others? I can't replicate this. I would love to bug this and work for a solution but I can't see anywhere that this happens. I will happily take PMs and will, perhaps, need additional information and access. I am not the person that is skilled enough to deal with this but I am capable of replication and reporting if need be.