• Page 1 of 1
  • 1
uCoz Community » uCoz Modules » Site Users » Exploit
Exploit
mihai9987
Posts: 5
Reputation: 0

Message # 1 | 11:52 AM
screenshot : http://mihaiantoce.ucoz.ro/Untitled.png

Moderators with the ability to use "Admin bar" can chose the option "view site as administrator" and gain administrator privileges.

This is a HUGE exploit and a security breach.
Post edited by mihai9987 - Sunday, 2014-09-07, 11:53 AM
Paradox
Posts: 3278
Reputation: 145

Message # 2 | 12:01 PM
mihai9987, the site's administration features - including the admin bar - are for administrative purposes. In a uCoz sense as a CMS this means the management of the website; not simply the moderation of. What extra features does the admin bar provide for your Moderators that the standard user bar would not?

You are correct, in what you say - I'm simply trying to understand your position on the matter. smile I don't believe there are currently plans to change this feature.

Web Applications Developer
Been here for 8 years and counting.
Visit me at alexmoloney.me.
Eriko
Pokémon Master
Posts: 960
Reputation: 34

Message # 3 | 12:04 PM
You can disable the admin bar by going to your control panel.

Go to http://mihaiantoce.ucoz.ro/admin and then:
Users (Left Menu) >> User groups >> Set permission for all groups >> Other

Check or uncheck the "Access to Admin Bar."

Click the link for more info on this matter:
http://forum.ucoz.com/forum/31-2189-1
mihai9987
Posts: 5
Reputation: 0

Message # 4 | 12:07 PM
Eriko, I want to keep the admin bar for my moderators as its easier for them to moderate comments overall, but they can simply exploit it by giving themselves administrator permissions. I just want the option "View site as" removed. What do you guys think ?

Paradox, If you have acces to the admin bar, you can make yourself any group that you want. A moderator can become an administrator, thus you can have acces to all administration functions like File Manager, Edit site design, Builder, which you would normally be unable to acces.

In conclusion, the option "View site as" , can be used by moderators to become administrators and thus enabling them to acces "file manager, site design and builder , as well as Mass PM dispatch"
Post edited by mihai9987 - Sunday, 2014-09-07, 12:11 PM
Eriko
Pokémon Master
Posts: 960
Reputation: 34

Message # 5 | 12:19 PM
mihai9987, as far as I know it's just viewing the site that changes, not the privileges.
mihai9987
Posts: 5
Reputation: 0

Message # 6 | 12:21 PM
Incorrect, they can acces the file manager, site design and builder , as well as Mass PM dispatch.
Test it for yourself : create a moderator and see for yourself.
Eriko
Pokémon Master
Posts: 960
Reputation: 34

Message # 7 | 12:31 PM
mihai9987, that's because they have access to the admin bar. That's not because they viewed the site as an administrator.
Sunny
Posts: 9296
Reputation: 456

Message # 8 | 2:17 PM
mihai9987, disable the option "Access to Admin Bar" for Moderators. They will still have access to Admin Bar but it's limited version: they will be able to manage comments, but won't have the option "View site as".
I'm not active on the forum anymore. Please contact other forum staff.
uCoz Community » uCoz Modules » Site Users » Exploit
  • Page 1 of 1
  • 1
Search: