Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Admin only category can easily be hacked ?
We have a forum with an admin only category. We have found that there is a serious bu in the security. Navigate to an admin account http://www.ourforum.nl/index.php?p=/profile/11/ADMINUSER then click on comments of the adminuser (http://www.ourforum.nl/index.php?p=/profile/comments/11/ADMINUSER) and then one can read the first part of the admin only category comments.
Can anyone confirm this ?
0
Answers
the word 'hacked' is bandied about a bit.
I can confirm that you can't see a private category post through profile/comments with 2.0.18.2, when not admin, when custom permission are set so it is only Administrator.
The thing to do is open the issue on git hub and provide steps to reproduce the issue.
grep is your friend.
This issue has already been fixed here:
https://github.com/vanillaforums/Garden/issues/904
Upgrade.
grep is your friend.