|
|
Joined: Jan 2003
Posts: 338
Enthusiast
|
Enthusiast
Joined: Jan 2003
Posts: 338 |
I dont know how to describe it.. On the board is error allows users change group to admin and login as any admin. I dont know how...??? 2 days ago, one of my user, get himself admin privs and delete my database - only on forum, because I have adminlogs. Month ago, this same person delete base on another forum...
|
|
|
|
Joined: Nov 2001
Posts: 10,369
I type Like navaho
|
I type Like navaho
Joined: Nov 2001
Posts: 10,369 |
I would venture that's not possible in an unmodified version. They would need database access to do that. I'd do some checking of your admin scritps and make sure you update them with a fresh clean copy of 6.3 from the member area. If it's a legimate bug - then it needs to be reported at http://community.infopop.com
|
|
|
|
Joined: Aug 2002
Posts: 1,191
Kahuna
|
Kahuna
Joined: Aug 2002
Posts: 1,191 |
I have tried several times when logged as a user to "break" it and gain access to it. The reason being that my board is for "by invitation only" people and I don't want guests to evesdropping in what we post. Trust me on this, the security features are pretty tight!
In addition to what Josh said, you can use a fresh copy of your version and with Beyond Compare compare the files to see where a problem might exist.
Nikos
|
|
|
|
Joined: Jan 2003
Posts: 338
Enthusiast
|
Enthusiast
Joined: Jan 2003
Posts: 338 |
hmm.. but it happened not only on my forum...
|
|
|
|
Joined: Jul 1999
Posts: 118
Enthusiast
|
Enthusiast
Joined: Jul 1999
Posts: 118 |
independent of this bug, I think there should be a way to limit power of admins. sort of a second class admin, who at least cannot give arbitrary database commands!! Or a super-moderator with increased power. Do you have an admin log that says the username of the person that gave the commands? Maybe the person cracked that password for the database and acesses it directly? your database allows remote access? did you study the security precautions in mysql.org (?) Or maybe they log into your server?
|
|
|
|
Joined: Apr 2001
Posts: 3,266
Member
|
Member
Joined: Apr 2001
Posts: 3,266 |
If I remember correctly you ran a highly modified 6.1 site. I as Josh has stated would suspect a bad hack. On a clean install I see no way to get in. Unless a hack your using lets someone gain access to your database password and user i see no way to do it.
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 1,157
Joined: July 2001
|
|
Forums63
Topics37,573
Posts293,925
Members13,849
|
Most Online5,166 Sep 15th, 2019
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|
|