Admin Read PMs

Started by vogelap, December 13, 2004, 04:09:03 PM

Previous topic - Next topic

diu

That's the problem, If a creat a FTP account to a user in order to upload his files in the server he will be able to read all the pms... :/

diu

Ben_S

Well don't create an ftp account for people then and they wont be able to get the database password.

Not sure how you are claiming you can get the db details, you can't, not unless someone has a totally insecure instalation.
Liverpool FC Forum with 14 million+ posts.

ryanbsoftware

you CANNOT get pm's though ftp, only db, and i don't know about other forums, but on mine, i am the only one with db access, and only certin staff have ftp access.

Ben_S

Quote from: RyanB on February 25, 2005, 11:49:22 AM
you CANNOT get pm's though ftp, only db

If you have ftp you can access the database password and upload a mysql management tool, so you technically can.
Liverpool FC Forum with 14 million+ posts.

ryanbsoftware

 :o right, lol, you guys should use like an encoder or some way of encrypting the db password or the whole config file, lol. :D

Ben_S

Why, there is absolutly no reason for anyone who isn't trusted to have access to the file.
Liverpool FC Forum with 14 million+ posts.

ryanbsoftware

true,, aside from me only trusted staff members have ftp access on my forum,

Oldiesmann

Quote from: Ben_S on February 25, 2005, 12:08:08 PM
Quote from: RyanB on February 25, 2005, 11:49:22 AM
you CANNOT get pm's though ftp, only db

If you have ftp you can access the database password and upload a mysql management tool, so you technically can.

This is exactly why you don't give people access to your forum files unless you really really trust them.
Michael Eshom
Christian Metal Fans

[Unknown]

Yep, that solution is easy: don't be a moron.

-[Unknown]

Tam

I have just started to discover this board so I am not totally sure it doesn't exist already, but if not, a "Forward PM" would solve problems like that. If someone is harassed or something, they can just forward the PM to admin/mods and no need to snoop around in the db.

ryanbsoftware

Quote from: tam****** on February 25, 2005, 04:08:10 PM
I have just started to discover this board so I am not totally sure it doesn't exist already, but if not, a "Forward PM" would solve problems like that. If someone is harassed or something, they can just forward the PM to admin/mods and no need to snoop around in the db.

the problem with that is you can modify the message before its sent, or foward a non-existsnt message if you really wanted to.

Tam

Not if you make  it copy the PM straight from the database when the admin/user open it, using it's ID

diu

The problem is than if a create a ftp account, for certain members, in order to upload their perssonal webs they can acces de dB... read PM and get de phpmyadmin password only uploading the reppair_setting or printing the settings.php It's necesary to know the forum structure.... but is possible

diu

Kindred

diu...

only if you give the FTP account access to the SMF root?!

FTP access for all except the admin account (at least on my site) is isolated from the rest of the site by permissions and location...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

diu

Hum, I'm spanish and i'm afraid i don't have enough english level. For example, i have a account in a server where i can't move from my directory where i upload a web. In another zone the server have de forum directory and it's containt. So i can take de PM and the phpmyadmin password easily without another permission... i'm just a user who can upload a web in a determinate directoy.

In my own forum and server a create a account that only have FTP access... to one directory in order to upload a web but... this user can upload some php files and get PM and phpmyadmin password.

It's not too danger... because i suppose that admins only create accounts to friends... but the hole exist

kindred, if you want we can probe it in your forum, in order to understand it, by creating an account to my, i upload the files and show to you.

diu

Ben_S

It isn't a hole, it's something that cannot be avoided, if it's a hole as you say, pretty much every single php/perl etc script that connects to a database suffers the same problem.
Liverpool FC Forum with 14 million+ posts.

homer09001

i believe there should be a system like this implemented as i would ifnd it very usefull as i run a gaming clan and when i get reports that memebres are abusing other via PM i would like to be able to examine the PM sent directly so that no on ecan fiddle it etc.

i had a mod like this for phpbb forum and proved very usefull.

Thantos

In SMF 1.1 there is an option you can enable which will enable members to report a PM to an admin(s).  In the report it will copy the details from the database so there is no worry about a member altering it before reporting.

Prasad007

Hey if such a feature or mod doesnt exist then how does the admin of www.tazboard.com read member's pm's ??
he's known to be doing that regularly!

Thantos

All the PMs are stored in the database.  With a working knowledge of mysql you can easily read anything and everything you've ever wanted.

Advertisement: