March 8, 2009 in Feedback
Hi, in 3.0 you MUST add captcha to mass moderation/mass moves and/or when a super moderator moves multiple topics.
Every thread in my forum was just deleted by a script which was used, and this is the solution to it.
How it works: The script posts variables including the user agent pretending to be a moderator, then deletes every thread in every forum. In my case, this was about 12k threads which contained about 59k posts. Sadly, we had no backups. Anyways, this would be a great feature to implement and there should be an option in the acp to enable/disable this.
Please take it into consideration, thanks.
There should be option for disable it. I don't want mass moderation at all.
The problem here isn't the lack of a CAPTCHA, it's the fact a script was able to get access to moderator functions.
You should report this in the Bug Tracker since this is obviously a major security issue.
As far as I'm aware 3.0 has form validation keys which prevent CSRF attacks like that from taking place.
But if this is an existing problem in 2.3.6, they should release a bug fix, since this may be a major security issue.
2.3.6 ALSO had form validation keys in the moderator forms. I'd submit a ticket - I can't even begin to imagine how this could have happened. I'd venture to guess a moderator actually did this, or someone somehow gained access to your moderator's account. You can't just write a script to "pretend" to be a moderator...IPB isn't going to treat you as a moderator unless you are using a moderator's account.
First off, don't let Mods make "Mass Moderation" only use them. If you made a Mass Moderation to delete a topic, and not place it in the trashcan, then you need to rethink some things.
This topic is now archived and is closed to further replies.
Started Yesterday at 01:29 AM
Started October 4
Started Wednesday at 05:56 PM