1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tor

Discussion in 'XenForo Questions and Support' started by Bob_R, Jan 23, 2015.

  1. Bob_R

    Bob_R Active Member

    Has anyone ever heard of Tor?

    Well guess what. Anyone that has Tor and is a member of your site (maybe they have to already be a Mod) instantly becomes a Mod of every forum on your board!

    If the staff here don't know about this I suggest you look into it immediately.

    And, if I'm somehow wrong or mistaken please guide me in the right direction.

    Because one of my members has just proved it to me. He can mod every single forum but the Staff Only forum.

    Does anyone have a logical explanation for this?
     
  2. Bob_R

    Bob_R Active Member

    Confirmed. As long as you are already a Mod you become a M0d of every forum.

    Major security vulnerability.
     
  3. Itworx4me

    Itworx4me Well-Known Member

    I would say you have a Permissions Issue. I would first check there.....
     
  4. Jeremy

    Jeremy XenForo Moderator Staff Member

    Besides permissions, can you replicate this yourself on a test account?

    How did you add the user to the moderator user group?

    How do you set up your moderator permissions?
     
  5. Bob_R

    Bob_R Active Member

    Huh?

    The guy's simply a mod of a single forum. Which permissions exactly would I need to check.
     
  6. Bob_R

    Bob_R Active Member

    No, can't replicate. Do not wish to install TOR.

    Do not remember how added to mod user group was last June

    Do not remember how set up moderator permissions was last June.
     
  7. Bob_R

    Bob_R Active Member

    Used Test Permissions from my AdminCP and he is indeed a Mod of every forum!!
     
  8. Jeremy

    Jeremy XenForo Moderator Staff Member

    Use Analyze Permissions -- test permissions applies their permissions on top of your current permissions.
     
    Bob_R likes this.
  9. Bob_R

    Bob_R Active Member

    His permissions are fine!

    What is the nextstep to fix this Xenforo security problem????!!!!
     
  10. Mike

    Mike XenForo Developer Staff Member

    What did analyze permissions show exactly? If test permissions gave you those permissions, then analyze permissions would show it. Tor is entirely unrelated.

    It's almost certainly an issue in your permission configuration, such as you applying moderator permissions to the moderating group (thereby giving them all moderator permissions everywhere it isn't explicitly removed).
     
  11. Bob_R

    Bob_R Active Member

    How would I change permissions for groups? aka.... Let's say my forum was just starting today with no Staff.
     
  12. Bob_R

    Bob_R Active Member

    Here's a little snapshot from his Analyze permissions.
     

    Attached Files:

  13. Bob_R

    Bob_R Active Member

    Some more info.
     

    Attached Files:

  14. Brogan

    Brogan XenForo Moderator Staff Member

    For global permissions, click on the user group, change the permissions.

    For individual nodes, click on the Permissions link for the node, click on the user group, change the permissions.
     
    Bob_R likes this.
  15. Mike

    Mike XenForo Developer Staff Member

    That analyze permission screenshot shows what I expected: you applied permissions via the moderating group. This means that the user receives those permissions everywhere unless explicitly revoked. If you are dealing with forum-specific moderators, you shouldn't specify any "default" moderating group permissions and apply the permissions you want via the "Moderators" system.
     
    ForestForTrees, Bob_R and Itworx4me like this.
  16. Bob_R

    Bob_R Active Member

    I am dealing with forum specific moderators. Where is the "Moderators" system?
     
  17. Mike

    Mike XenForo Developer Staff Member

    Users > Moderators. You showed screenshots from it.
     
  18. Lawrence

    Lawrence Well-Known Member

    AdminCP -> Users -> Moderators -> Create New Moderator
    Type in the user name, and then select Forum moderator, and select the forum from the drop down. This will take you to a new check-box permission system for that forum, :)
     
  19. Bob_R

    Bob_R Active Member

    @Brogan @Mike @Lawrence So what do you propose I do? De-mod everyone and just start from scratch? That seems to be the easiest and logical route but please correct me if I am mistaken.
     
  20. Brogan

    Brogan XenForo Moderator Staff Member

Share This Page