Topic: admin_bans doesn't properly check username
I mean, it checks it properly up here
if (isset($_GET['add_ban']) || isset($_POST['add_ban']))
{
// If the id of the user to ban was provided through GET (a link from profile.php)
if (isset($_GET['add_ban']))
{
$add_ban = intval($_GET['add_ban']);
if ($add_ban < 2)
message($lang_common['Bad request']);
$user_id = $add_ban;
$result = $db->query('SELECT group_id, username, email FROM '.$db->prefix.'users WHERE id='.$user_id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
if ($db->num_rows($result))
list($group_id, $ban_user, $ban_email) = $db->fetch_row($result);
else
message('No user by that ID registered.');
}
else // Otherwise the username is in POST
{
$ban_user = trim($_POST['new_ban_user']);
if ($ban_user != '')
{
$result = $db->query('SELECT id, group_id, username, email FROM '.$db->prefix.'users WHERE username=\''.$db->escape($ban_user).'\' AND id>1') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
if ($db->num_rows($result))
list($user_id, $group_id, $ban_user, $ban_email) = $db->fetch_row($result);
else
message('No user by that username registered. If you want to add a ban not tied to a specific username just leave the username blank.');
}
}However, when you're adding advanced settings, username isn't checked. That means you can ban an administrator (kind of, bans don't affect admins) or just randomly ban people.
And on that subject, the message about banning admins is redundant, since banning doesn't work on admins anyway: the check_bans function has
// Admins aren't affected
if ($pun_user['g_id'] == PUN_ADMIN || !$pun_bans)
return;
