1

Topic: [bug] Unprivileged users can get search results from private forums

By searching for posts by moderators, and choosing to display results as posts, unprivileged users can get snippets of posts from a private, moderator-only forum.  I haven't checked out the source, but this seems to imply that punBB does no validation on whether a user has permission to view a topic when it's displayed in search results.

Re: [bug] Unprivileged users can get search results from private forums

I will look into it tonight.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: [bug] Unprivileged users can get search results from private forums

He's right: I haven't looked at the code, but if you search for posts (not a topic search) you get results that you shouldn't get

4

Re: [bug] Unprivileged users can get search results from private forums

It appears that when you're searching by posts and a specific forum is not selected, the group permissions never get checked.

Line 300 needs to be changed from:

else if ($forum_sql != '')

To simply:

else

I'm pretty sure this is the intended behavior, that forum_sql stuff just snuck in there.

Hard work may not kill you, but why take chances?

5

Re: [bug] Unprivileged users can get search results from private forums

It might also be good to make an announcement for the fix, since this is a fairly glaring security bug. Or maybe we're just too protective over the privacy of our mod hideout at MacAddict. Now we will always wonder just how much Miles knows. tongue

Hard work may not kill you, but why take chances?

Re: [bug] Unprivileged users can get search results from private forums

You're absolutely correct. The fix you posted above solves the problem and is now in subversion. I'm planning on releasing 1.2.1 sometime this weekend, so I was hoping I could hold off on posting an announcement until then. If you feel different, let me know and I will tend to it.

Remind me to set up some kind of protocol for reporting potential security issues smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

7

Re: [bug] Unprivileged users can get search results from private forums

That sounds like a fine plan. It's not like this compromises the server and I'm doubting most instance of PunBB have private forums discussing matters of national security. We just tend to be overly protective of the mystery that surrounds the Mod Squad at MacAddict. Apple's love for mystery must have rubbed off on us. wink

Oh, and you should setup some sort of protocol for reporting potential security issues. wink Does Trac have any features like that?

Hard work may not kill you, but why take chances?

Re: [bug] Unprivileged users can get search results from private forums

Well it is quite serious in it's own way. Some people use private forum as mailing list, for their families, or cared one, or whatever. And some might very well not like if someone is getting access. Imho, that deserve a news, not a big one but a explanation of the issue, the solution, and the future release of 1.2.1

9

Re: [bug] Unprivileged users can get search results from private forums

GUI wrote:

Now we will always wonder just how much Miles knows. tongue

You'll just have to keep wondering. tongue Although I never would have been searching for posts by you if you had just replied to my thread about the mod in the first place.  Ah well, time to find a new security hole.  I must try to keep quiet about this one hmm wink

Re: [bug] Unprivileged users can get search results from private forums

I've setup an e-mail address security@<this domain> for security related matters. Now I just have to plug it somewhere on the website smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: [bug] Unprivileged users can get search results from private forums

Bug forum description?

Re: [bug] Unprivileged users can get search results from private forums

Good idea.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

13

Re: [bug] Unprivileged users can get search results from private forums

A sticky might help, too.

Re: [bug] Unprivileged users can get search results from private forums

Another good idea smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."