SMF Development > Bug Reports

"Security" issue with hidden categories/boards

(1/1)

legaziofunk:
Ladies and Gentlemen,

here are my stats of the SMF we're using at the site: www.seelenerbe.de
SMF: 2.0.15
Language: GERMAN UTF-8 by default for every user
Theme: CoreTheme
PHP: 7.0
MySQL Version: 5.6.37-82.2-log

Therefore, I MIGHT not use the correct terms in English, since I am mostly familiar with the German terms.

Also, I am not familiar with coding! So all I can provide, is a description of the issue.

    Our Setup:
        List any Modifications you have installed: none
        List any Themes you have installed: CoreTheme
        List any non-English Language packs you have installed: German language pack
        Are you using UTF-8? YES
        Any other related information? no.
        What caching level are you using? What does that mean?
    Server Software:
        Apache/IIS version?: don't know.
        PHP version?: 7.0
        Database type and version: MySQL Version: 5.6.37-82.2-log
        Any other related server information?
    Where the Error Occurred
        File: no idea
        Line: no idea
        Any relevant errors in the SMF error log (if so please post them)?: not that I know of.

    How to Reproduce this Error?:

1. Set up two boards (BOARD 1 and BOARD 2)
2. Set up two different user-groups with different rights of accessing different boards.
Group 1: has limited access to only one board (BOARD 1 - let's call him "board-1-guy")
Group 2: all access to all boards (like an Admin - so let's call this guy "admin" in the following explanation)

In admin role, I chose to be notified via email about new posts in a specific categorie/board (BOARD 2) that is not accessible to all user groups.

3. As admin: activate notification via email when new posts in BOARD 2 are happening.
4. receive the email about the new post/topic in BOARD 2.
5. Click on the link that leads to this very BOARD 2, which leads you to the log in window (the entire forum is not public).
6. Do NOT log in as admin, but as board-1-guy (who actually is NOT allowed to see this board/thread).

ERROR/BUG: Well, unfortunately, board-1-guy is able to see the entire post!

This very post I am talking about, also contained an attachment. After clicking on it, SMF told me that I do not have access. That makes sense, but came in one step "too late", since, I think, SMF should not have let me log in as board-1-guy and present the post in the first place.

Important: I do believe this to be a minor issue in the sense that the actual link about the new post is rather unlikely to be seen by users like board-1-guy - since he can't set the notification in the first place (and rather unlikely (!) comes across this very link).
Yet, logically speaking there should not be the chance (!) of this to actually happen because board-1-guy is not supposed to see any of this "BOARD 2 content" - no matter what.

But since this is a security issue (the hidden BOARD 2 contains sensitive material!), I do think it is an important issue.

I hope, this all makes sense!

Illori:
then you need to check your permissions for boards visible for both normal groups and post count based groups. if your forum is setup correctly this cannot happen.

legaziofunk:

--- Quote from: Illori on May 08, 2018, 05:09:30 AM ---then you need to check your permissions for boards visible for both normal groups and post count based groups. if your forum is setup correctly this cannot happen.

--- End quote ---

If you say so.

But it did.

Like I said (and I don't want to repeat myself): The "security-setting" kicked in, when i clicked the file-attachment: no access.
But I already saw the post!

Aleksi "Lex" Kilpinen:
Should not be possible.

Go to the users profile -> Profile info -> Show permissions

The first heading is "Restricted boards", is the hidden board mentioned here? If not, then your access permissions need tweaking.

Kindred:
can not recreate the issue....   permissions, when properly set up ARE respected, regardless of the link used to attempt to view...

Navigation

[0] Message Index

Go to full version