Big problem: Anyone can become admin?

X3mE · August 03, 2008, 03:02:09 PM

Ok, I've had my forum attacked a couple of times last week. It appears that the attacker registers and gives admin privileges to himself. I don't know how it is possible, but I'm guessing it is a security hole in SMF 2.0 beta 3.1.

Luckily, no big damage was done (mostly because he obviously had no intentions to do serious damage, he was just messing around), and my mods alerted me right away so I banned him asap, but I would like to prevent this from happening in the future.

Currently I have set the admins to approve all registrations, but that's not good enough protection.

H · August 03, 2008, 04:31:32 PM

There are currently no known security problems with SMF.

I'd enable report generation in Admin > Features and Options > Core Features and then check your permissions to ensure you haven't allowed users to change their own membergroup or something similar.

See: Generate Reports for more info.

To be on the safe side you may also want to file a Security Report

X3mE · August 04, 2008, 06:15:58 AM

Quote from: H on August 03, 2008, 04:31:32 PM
I'd enable report generation in Admin > Features and Options > Core Features and then check your permissions to ensure you haven't allowed users to change their own membergroup or something similar.

No, the permissions are good.

Quote from: H on August 03, 2008, 04:31:32 PM
To be on the safe side you may also want to file a Security Report

Ok, I've filed one.

News:

Big problem: Anyone can become admin?

X3mE

H

X3mE