New users with the position "Administrator"

[bvsweeney]

We are seeing more and more new users registering for the board as ADMINISTRATORS.  Any ideas?

As a precautionary measure, I updated the STOP Spammer mod and added the reCAPTCHA mod.

Thanks,

Brian
------
SMF 1.1.12
Stop Spammer 2.3.8 (reports 2.3.7)
reCAPTCHA mod (just added)

[Illori]

do you have any groups that inherit permissions? i would disable registration till you can resolve this or your forum may loose control and end up locking you out.

[GadgetGeek]

do you have any groups that inherit permissions? i would disable registration till you can resolve this or your forum may loose control and end up locking you out.

I too work with bvsweeney, and did check to see if there are any permissions inherited, but unless I am not looking in the right place, there are none.  We possibly need to wait a day or so and see if this happens after BVS did the changes.  We do thank you for your quick answer and are glad to work with you when we have issues...

GG>- 

[bvsweeney]

We are still seeing spammers subscribing as Admins.  Is there a know exploit for this?

[Illori]

there are no known security issues with smf at this time. your best bet is to disable registration until you can review all your permissions and make sure none are leading to admin privileges.

[DavidCT]

Did you try registering as a new user yourself?  Do you get admin access?

If yes and no, then what I'd do is uninstall any mods, download the large upgrade and overwrite your themes and sources files to make sure it's pure SMF 1.1.12 without modifications to see if that fixes it.  Don't install any mods during the test period.

Also make sure your PHP files aren't writable to world or group (unless required from outdated server config) and neither are your folders.  If PHP is running as CGI you shouldn't need either of them to be readable or writable to anyone but owner.

[bvsweeney]

Did you try registering as a new user yourself?  Do you get admin access?

If yes and no, then what I'd do is uninstall any mods, download the large upgrade and overwrite your themes and sources files to make sure it's pure SMF 1.1.12 without modifications to see if that fixes it.  Don't install any mods during the test period.

Also make sure your PHP files aren't writable to world or group (unless required from outdated server config) and neither are your folders.  If PHP is running as CGI you shouldn't need either of them to be readable or writable to anyone but owner.

Yes, I did try registering a new user.  My test user did not get admin rights.

Thanks DavidCT for the verbose suggestion.  (I needed that.)  I will try this right away.

-Brian

[GadgetGeek]

Did you try registering as a new user yourself?  Do you get admin access?

If yes and no, then what I'd do is uninstall any mods, download the large upgrade and overwrite your themes and sources files to make sure it's pure SMF 1.1.12 without modifications to see if that fixes it.  Don't install any mods during the test period.

Also make sure your PHP files aren't writable to world or group (unless required from outdated server config) and neither are your folders.  If PHP is running as CGI you shouldn't need either of them to be readable or writable to anyone but owner.

Yes, I did try registering a new user.  My test user did not get admin rights.

Thanks DavidCT for the verbose suggestion.  (I needed that.)  I will try this right away.

-Brian

This is Gadgetgeek, I am also an Admin on Brian's board.  We have had 2 Admin logons in the last 10 hours..   No IP address, but logged on as Administrator.   It scares me to death..

.

[GadgetGeek]

We are seeing more and more new users registering for the board as ADMINISTRATORS.  Any ideas?

As a precautionary measure, I updated the STOP Spammer mod and added the reCAPTCHA mod.

Thanks,

Brian
------
SMF 1.1.12
Stop Spammer 2.3.8 (reports 2.3.7)
reCAPTCHA mod (just added)

Guys, we are still having the newbies loggon on as Administrator problem.  4 or 5 in two days.  I hate to sit this close to the computer every day just to catch them, I'm afraid when bass season comes around I'll be on the lake and some spammer has come in and XXXX up the board.  I"d hate that ...

.

[Illori]

if you dont mind please read http://www.simplemachines.org/community/index.php?topic=87130.0 and send me an admin account along with url to your forum and I will take a look tomorrow.

[kateydrop]

Does 'saved names' not work?

Just a thought.

[Illori]

what do you mean 'saved names'? this is not an issue of reserved names being used and those getting admin powers by default because of that.

[kateydrop]

I said 'just a thought, meaning is this an option or not,

Its not, then ok. I realise your frustration but say thanks for trying or something...never mind.

I hope so0me KNOWLEDGABLE person gives you much satisfaction to your problem.

[Illori]

i was just trying to understand what you were staying and clear it up for the op as to what effect that has on this issue.

[DavidCT]

File a security report.

Curious, when you go into admin panel, does it show them as being admins in the admin list on the front page?  When you view their profile and view their permissions, it shows them having admin access?  They aren't just using the username "Administrator", right?  (don't be offended, I had to ask )

Any chance I can have the URL to your forum?  PM me if you prefer.

[Illori]

i would not file a security report at this time, we dont know what the settings are for each group, someone, and i have volunteered already, should double check the permissions before making this a big issue. also most of the time security reports are for issues when someone has been hacked and wishes to provide details to the smf staff and not let it become public.

[GadgetGeek]

File a security report.

Curious, when you go into admin panel, does it show them as being admins in the admin list on the front page?  When you view their profile and view their permissions, it shows them having admin access?  They aren't just using the username "Administrator", right?  (don't be offended, I had to ask )

Any chance I can have the URL to your forum?  PM me if you prefer.

http://285foodies.com/forum/index.php

They are listed as an Administrator in the panel. 

I got a new one this morning ..  :-(

But, maybe I did have a permission setting wrong? 

In Regular Members Permissions, I had "yes" toggled in Members Profiles- Edit account settings, perhaps they are able to change their Membergroup there ?  I will switch this to "no" and give it a day or two ?

Thanks for making me look the hundredth time and perhaps uncovering MY error..
.


.

[Illori]

are you willing to allow someone, myself or otherwise, access to your site to double check the permissions?

[freebird]

http://285foodies.com/forum/index.php [nofollow]

They are listed as an Administrator in the panel. 

I got a new one this morning ..  :-(

But, maybe I did have a permission setting wrong? 

In Regular Members Permissions, I had "yes" toggled in Members Profiles- Edit account settings, perhaps they are able to change their Membergroup there ?  I will switch this to "no" and give it a day or two ?

Thanks for making me look the hundredth time and perhaps uncovering MY error..
.


.

Having the ability to edit account settings under Profile should not give them the ability to change their permissions.  They would have to have manage permissions option checked under Member Administration.  Maybe you could screenshot the permissions section?

[GadgetGeek]

are you willing to allow someone, myself or otherwise, access to your site to double check the permissions?

Yes.   I have to go out for a few hours, and thank you all.  I'll be back this afternoon.

.