Backdoor access to BOD and Mod forums?

[Bryan C.]

So I was reading through the BOD forum and saw Tom Curran (Boatwrench) surfing the BOd forum, when I clicked his name and check his profile, it came up with him viewing a thread in the moderator forum. So I sent him a PM and this is what he had to say.

Tom, just curious, you have access to the BOD and Moderators forum?

BUSTED!

I was looking at a thread and on the bottom there was a list of 4-5 similiar threads. One was Glenn concerning REV DEN from 2006. here!

I opened it and discovered I was on the Moderators discussion board. Peeked a bit to see how much back dorr access there was and well you busted me.

I was going to tell someone about this breach entry point but wanted to see how 'easy' it would be to get in...and it is.

I won't let it out how to get in but BOD should figure out how to close it.

Happy New Year,
Tom

Thank you Tom!

I saw your name and wondered how you got in there. I'll post it up in the BOD forum and have the admins check it out.

So I figured I had better post this up for the admins to check out. Maybe it was just a glitch for his account only, or maybe more people have the same issue?:dunno:

 

[Bryan C.]

It was from this thread:

http://www.naxja.org/forum/showthread.php?t=980230


Scroll to the bottom of the first page and check out Glenns thread about Rev Den getting on his nerves. Apparently Tom can see the link to the BOD forum thread, and followed it into the BOD forum.

 

[Glenn B]

Thanks for the PM Bryan. As soon as I received it, I sent a PM to Boat for a phone call. In the interim I dug around and found the issue. As I was in progress of fixing it, Boat called and verified that it was indeed fixed... he no longer had access.

I have no idea how long this has been possible. This is simply to let you folks know the what. if it does not make sense... sorry, it is 1:30 am.

The Usergroup FAQ Team seems to have had elevated permissions. The have been able to read the BOD, Bin, & MOD forums, as well as several others.

The Usergroup Vendor has had access to Garbage Bin, Mod Forum, Election Committee, & BOD.

I removed access to both of those usergroups & did a quick check for others that should NOT have access.

I did NOT change access to the Members area for the usergroup Vendors, as I am not sure if we still grant them a membership or not.

I suggest a top to bottom look-over by the other Admins. Not a quick process, so I will also copy this post to the Admin area. If all of the admins put our eyes on it, hopefully this can be prevented. OK, almost quarter to 2 am...

 

[Glenn B]

I copied this thread to the Admin forum as well for our own discussion. It is almost 2 am, and my mind is numb.... so some more eyes to check for other errors would be a good idea.

 

[woody]

OK as of 1-9-09, the 'FAQ Team' and 'Vendor' usergroups are gone. The new sponsor/vendor group is 'Vendors' and two folks were added (from vendor)

I'm going to look into the Election Committee, see who was a participant, look into their specific permissions, and fix as required.

EDIT 1-10-09 @ 1100 I looked over the participants, and killed their access (it was Me, Goatman, Yellaheep, JnJ, Beezil & Eagle)

I also poked around the Moderators list & killed access for Dr Moab, Scrappy Again, SeanR, Yellaheep and Led.

Led also had backdoor access to the BOD forum, legacy from either his hitch as Chapter Pres, or from the 25th AE Giveaway XJ build??? That is shut off now...

I posted this over in the BOD forum too... FYI