Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Phorum: Easy way to add an admin

Comments Filter:
  • The page that does the 'promotion' to admin doesn't check the current user's credentials to verify that they are an admin - instead, the script was relying upon the fact that only admins get to see the page where this action is performed, thus only they (admins) would have the form or link needed to do this.

    I see this sort of thing all the time actually...

    [rant]In fact, one of my clients contacts me about once a year and has me do a security audit on thier 'new' website and ecommerce engine. Yes, thats r
    • Heh. Seen that too. :)

      This one allows for a new user to be added. I got to tempted.I just did it to http://www.php-homepage.de [php-homepage.de].

      Besides monkeys, there is yet another problem. Monkeys are definitely a problem. But, thewre are those who code with the thought "i'll check for permission when i need to". Personally, i take the approach of "create the box, and then let the user work within it".
    • TOPIC: Monkeys...

      I'm a monkey...
      called a 'make it work monkey'

      no money to pay for Guru X...so guess what...learn what you can and make it work...if we find a bug ... figure out how to fix it ... thankfully I just work for a private high school...so i'm a novell/ms/linux/web monkey who would LOVE to have the time and resources to actually attain GURU-ness in at least ONE of the disciplines, but as of yet still have no opportunity other than what I learn by doing...
      and I'm FAR from a Savant =)

      in this case.
      • no, you're not a monkey... monkeys think they are people.

        It's not monkeys versus gurus/savants, its monkeys versus people who know their limits and Try To Learn.

        Monkeys come in all shapes and sizes.. probably the easiest way to tell if someone is a monkey is to show them some new tech that they do not use for their job. Like, say, show a coldfusion guy a book on JSP. If they aren't interested at all, then they're a monkey - they're just in it for the money and want the bare minimum (in thier opinion) sk
  • It seems to me a simple idea that before a page loads you verify the user and his rights. Ideally you can make this a default on each page load (either through templates or such).

    • True. And that seems to eb an earlier bug of theirs. But they fixed it. A hack, but they fixed it.

      Here the problem is different. They define a constant on login. So, all pages need that first. However, the login page itself sets the constant and then resets on failure. Mistake! :)

      The file loads other pages which are now accessible.......

If you're not part of the solution, you're part of the precipitate.

Working...