You are not logged in. Please login or register.
PunBB Forums → PunBB 1.2 bug reports → Security hole in profile.php
You should be able to prevent guests or whoever from viewing the profiles of your users, but the code in place to implement this:
if ($pun_user['g_read_board'] == '0' && !isset($_GET['key']))
message($lang_common['No view']);is easily circumvented by simply setting the "key" parameter (to anything).
err ... that if statement means you must be allowed to read the board and have set a key get variable ... if you dissalow that group from reading the board, it won't be possible to go around by just setting the "key" parameter to see profiles.
In my experience people put more personal stuff in the signatures than they do on profile pages, and dissalowing guests from reading the board, should make looking at the profiles dissalowed aswell
Actually, that statement says that if your group is not allowed to read the board AND you do not have a key set, you should get the No View message. You're reading it as a ||, not a &&. 
So, by setting key you do indeed get around that (I tested it on my forum 
)
The solution (at least as I read it) would be adding && $action != 'change_pass' to the if statement: because if change_pass must be used and the key must be set, it can only be used for changing pass (which was the original exclusion I believe Rickard was trying to make).
hmm ... I should stop reading code at 1am 
Actually, he's right Frank. I will fix it asap.
Thanks. I fixed it temporarily by making it:
$action = isset($_GET['action']) ? $_GET['action'] : null;
if ($pun_user['g_read_board'] == '0' && !($action == 'change_pass' || $action == 'change_email'))
message($lang_common['No view']);(The "$action = ..." line is moved up from below)
Bah, reading code late at night is fun
*reads for 5 seconds*
*slumps forward on his keyboard, asleep*
Fix.
PunBB Forums → PunBB 1.2 bug reports → Security hole in profile.php
Powered by PunBB, supported by Informer Technologies, Inc.