Search not respecting permissions

Started by Aqua, April 25, 2007, 10:19:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Aqua

April 25, 2007, 10:19:05 AM
One of our members just stumbled over a security hole in the search function yesterday. 

He was searching for information about one of our special ranks that you have to pay for to get access to special login info located in boards only visible to that rank.  However, by putting that word in the search box, it gave him access to the threads with that info in them that were in the restricted board.

Thus, before displaying results, the search engine needs to look at the rank of the searcher and the permissions of the boards it is presenting search results for before displaying any results.

We are running SMF 1.1.1 and this isn't something I saw as a bugfix for 1.1.2
Faster than a three legged squirrel

KGIII

#1
April 25, 2007, 10:51:17 PM
I shall report this. Thanks - I can't confirm it as I haven't tested it but I will report it.

My PC Support Forum
Please ask in-thread before PMing
                   SMF Help
                   Visit My Blog

How can we improve the support process?:
http://www.simplemachines.org/community/index.php?topic=163533.0

SMF vs. Godzilla? Who do you think will win?

Sverre

#2
April 26, 2007, 12:41:56 AM
I've seen this reported a few times before, but I'm unable to recreate the behaviour on any of my installs...

http://www.simplemachines.org/community/index.php?topic=88762.0
http://www.simplemachines.org/community/index.php?topic=116008.0

KGIII

#3
April 26, 2007, 02:27:18 AM
I have gone ahead and posted it for the dev team to take a peek at. It is far beyond my comprehension.

My PC Support Forum
Please ask in-thread before PMing
                   SMF Help
                   Visit My Blog

How can we improve the support process?:
http://www.simplemachines.org/community/index.php?topic=163533.0

SMF vs. Godzilla? Who do you think will win?

Aqua

#4
April 26, 2007, 11:13:37 AM
Thank you :)  Something odd that my techies on the site have confirmed, this only happens for people who's memberships were created while we were using 1.0.5, memberships created after we upgraded to 1.1.1 cannot do this.
Faster than a three legged squirrel

formlesstree4

#5
June 18, 2007, 01:36:58 PM
So basically it was a security hole back in 1.0.5, maybe the newest version should include a way to recode the users permissions.

Monni95

#6
June 24, 2007, 05:24:33 AM
I can confirm it happens in 1.1.2 with even users created after upgrading to 1.1.x as it happens with anonymous visitors too. Just go to profile of any user and click the link to view all posts. It will list posts in sections that are restricted to only logged-in users.

KGIII

#7
June 26, 2007, 05:54:04 AM
Do one of you mind sharing the differences between your servers and others? I can't replicate this. I would love to bug this and work for a solution but I can't see anywhere that this happens. I will happily take PMs and will, perhaps, need additional information and access. I am not the person that is skilled enough to deal with this but I am capable of replication and reporting if need be.

My PC Support Forum
Please ask in-thread before PMing
                   SMF Help
                   Visit My Blog

How can we improve the support process?:
http://www.simplemachines.org/community/index.php?topic=163533.0

SMF vs. Godzilla? Who do you think will win?
Print
Go Up Pages1
User actions
Advertisement: