View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000265 | XMB1 | Bugs | public | 2009-02-04 00:39 | 2009-02-05 07:12 |
| Reporter | miqrogroove | Assigned To | miqrogroove | ||
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.9.8 SP2 | ||||
| Target Version | 1.9.11 | Fixed in Version | 1.9.11 | ||
| Summary | 0000265: Moderator Permissions Escalation | ||||
| Description | There needs to be a sanity check in topicadmin.php for things like moving threads to the forum they're already in. It was also discovered that the forum permissions were incorrectly applied to the topicadmin script in all previous versions of XMB. As a result, Moderators were being treated as Super Moderators for the following actions: Copy Thread Delete Thread Empty Thread Merge Thread Move Thread Prune Thread Split Thread View IP Address (blocked by 17 December patch) I have confirmed this bug exists in the XMB 1.9.8 code base. Mitigating Factors: The topicadmin script requires X_STAFF user status. All actions performed by the topicadmin script are logged. The status variable itself is unaffected, so privilege escalation is not permanent. | ||||
| Steps To Reproduce | Not disclosed. | ||||
| Tags | No tags attached. | ||||
| MySQL Version | |||||
| PHP Version | |||||
| Web Server | |||||
| Browser | |||||
| Flags | |||||
| Original Reporter | |||||
| SVN Revision | 1698 | ||||
| related to | 0000281 | closed | miqrogroove | Errors in Topicadmin |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2009-02-04 00:39 | miqrogroove | New Issue | |
| 2009-02-04 00:39 | miqrogroove | Summary | Thread Move Should Do Nothing if TID is Identical => Thread Move Should Do Nothing if FID is Identical |
| 2009-02-04 02:32 | miqrogroove | Status | new => assigned |
| 2009-02-04 02:32 | miqrogroove | Assigned To | => miqrogroove |
| 2009-02-04 03:10 | miqrogroove | Note Added: 0000137 | |
| 2009-02-04 03:10 | miqrogroove | Severity | minor => major |
| 2009-02-04 03:10 | miqrogroove | Projection | none => major rework |
| 2009-02-04 05:25 | miqrogroove | SVN Revision | => 1698 |
| 2009-02-04 05:25 | miqrogroove | Status | assigned => resolved |
| 2009-02-04 05:25 | miqrogroove | Fixed in Version | => 1.9.11 |
| 2009-02-04 05:25 | miqrogroove | Resolution | open => fixed |
| 2009-02-05 07:12 | miqrogroove | Status | resolved => closed |
| 2009-02-05 07:12 | miqrogroove | Summary | Thread Move Should Do Nothing if FID is Identical => Moderator Permissions Escalation |
| 2009-02-05 07:12 | miqrogroove | Description Updated | |
| 2009-02-05 07:12 | miqrogroove | Steps to Reproduce Updated | |
| 2009-02-27 07:41 | miqrogroove | Relationship added | related to 0000281 |
