News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

"Security" issue with hidden categories/boards

Started by legaziofunk, May 08, 2018, 03:58:03 AM

Previous topic - Next topic

legaziofunk

Ladies and Gentlemen,

here are my stats of the SMF we're using at the site: www.seelenerbe.de
SMF: 2.0.15
Language: GERMAN UTF-8 by default for every user
Theme: CoreTheme
PHP: 7.0
MySQL Version: 5.6.37-82.2-log

Therefore, I MIGHT not use the correct terms in English, since I am mostly familiar with the German terms.

Also, I am not familiar with coding! So all I can provide, is a description of the issue.

    Our Setup:
        List any Modifications you have installed: none
        List any Themes you have installed: CoreTheme
        List any non-English Language packs you have installed: German language pack
        Are you using UTF-8? YES
        Any other related information? no.
        What caching level are you using? What does that mean?
    Server Software:
        Apache/IIS version?: don't know.
        PHP version?: 7.0
        Database type and version: MySQL Version: 5.6.37-82.2-log
        Any other related server information?
    Where the Error Occurred
        File: no idea
        Line: no idea
        Any relevant errors in the SMF error log (if so please post them)?: not that I know of.

    How to Reproduce this Error?:

1. Set up two boards (BOARD 1 and BOARD 2)
2. Set up two different user-groups with different rights of accessing different boards.
Group 1: has limited access to only one board (BOARD 1 - let's call him "board-1-guy")
Group 2: all access to all boards (like an Admin - so let's call this guy "admin" in the following explanation)

In admin role, I chose to be notified via email about new posts in a specific categorie/board (BOARD 2) that is not accessible to all user groups.

3. As admin: activate notification via email when new posts in BOARD 2 are happening.
4. receive the email about the new post/topic in BOARD 2.
5. Click on the link that leads to this very BOARD 2, which leads you to the log in window (the entire forum is not public).
6. Do NOT log in as admin, but as board-1-guy (who actually is NOT allowed to see this board/thread).

ERROR/BUG: Well, unfortunately, board-1-guy is able to see the entire post!

This very post I am talking about, also contained an attachment. After clicking on it, SMF told me that I do not have access. That makes sense, but came in one step "too late", since, I think, SMF should not have let me log in as board-1-guy and present the post in the first place.

Important: I do believe this to be a minor issue in the sense that the actual link about the new post is rather unlikely to be seen by users like board-1-guy - since he can't set the notification in the first place (and rather unlikely (!) comes across this very link).
Yet, logically speaking there should not be the chance (!) of this to actually happen because board-1-guy is not supposed to see any of this "BOARD 2 content" - no matter what.

But since this is a security issue (the hidden BOARD 2 contains sensitive material!), I do think it is an important issue.

I hope, this all makes sense!
*I am a NEWBIE* Stats as of Dec. 2019
SMF: 2.0.15
Language: GERMAN UTF-8 by default for every user
Theme: CoreTheme
PHP: 7.2
MySQL Version: 5.6.45-86.1-log

Illori

then you need to check your permissions for boards visible for both normal groups and post count based groups. if your forum is setup correctly this cannot happen.

legaziofunk

Quote from: Illori on May 08, 2018, 05:09:30 AM
then you need to check your permissions for boards visible for both normal groups and post count based groups. if your forum is setup correctly this cannot happen.

If you say so.

But it did.

Like I said (and I don't want to repeat myself): The "security-setting" kicked in, when i clicked the file-attachment: no access.
But I already saw the post!
*I am a NEWBIE* Stats as of Dec. 2019
SMF: 2.0.15
Language: GERMAN UTF-8 by default for every user
Theme: CoreTheme
PHP: 7.2
MySQL Version: 5.6.45-86.1-log

Aleksi "Lex" Kilpinen

Should not be possible.

Go to the users profile -> Profile info -> Show permissions

The first heading is "Restricted boards", is the hidden board mentioned here? If not, then your access permissions need tweaking.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Kindred

can not recreate the issue....   permissions, when properly set up ARE respected, regardless of the link used to attempt to view...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

shawnb61

I'm closing this one out as it could not be reproduced.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Advertisement: