Solved Security issue: Users can gain access to restricted categories in Kunena

Hello,

I have a problem with my forum. When people click on an username they can see the recent posts of an user. When regular members click on a officer, they can jump to the officer forum and see everything in there, while they shouldn't be allowed in there. The officer forum is normally only available for the acces level Officers. How can I solve this issue?

G'day, sheno1, and welcome to Kunena.

Use Kunena Category Manager and modify the Permissions tab of the category/categories that only your "officer" members should be allowed to access. If you cannot solve the problem yourself, please post a screenshot of the the Permissions tab of one of these categories and we will try to see what you need to change. I hope this helps.

Hi,

No this isn't my problem. The restrictions are working fine, but there's a way to work around it. See the attached image. Hence my title before you changed it ^^.

In summary what you are saying is:

(1) Login with a non-privileged user account. At this time the account is unable to view topics in restricted categories.

(2) View the profile of another user (a user who has "privileged" access to other categories) and view that user's most recently-posted messages and click the "more" link at the end of the list.

(3) On the next page, the list of available Board Categories includes all the categories that the "privileged" user has access to and now you can access and visit those categories as if you were the "privileged user, including the ability to most messages in those categories.

This is very interesting and I will have to test this for myself.

I changed the subject again to something that I hope is more meaningful.

I tested the claim here (at www.kunena.org ) using a test account that has exactly the same access restrictions as sheno1. I was not able to use the method described by sheno1 to gain access to other categories, such as categories that only administrators, forum moderators and other "privileged" account holders can access here. I am not saying that the claims made by sheno1 are false but I would like to say that there is information as yet unknown to us about sheno1's website that may be allowing users there to bypass Kunena's security mechanisms. Until we learn more about these other facts that sheno1 has not shared with us, this remains a deep mystery.

Why is there a problem at your website but not here at this website? Your configuration report may assist us.

The security issue may involve some particular version of Joomla, or another Joomla extension. Until we know more, I really do not have any explanation to offer at this time.

I guess I must've done something wrong then. See config:

Database collation check: The collation of your table fields are correct

Legacy mode: Disabled | Joomla! SEF: Enabled | Joomla! SEF rewrite: Disabled | FTP layer: Disabled |

This message contains confidential information

htaccess: Missing | PHP environment: Max execution time: 30 seconds | Max execution memory: 128M | Max file upload: 8M

Kunena menu details:

Warning: Spoiler!

ID	Name	Menutype	Link	Path
498	FORUM	mainmenu	Itemid=489	kunena-2012-09-04
489	Forum	kunenamenu	view=home&defaultmenu=491	forum
490	Forum	kunenamenu	view=category&layout=list&catid=0	forum/forum
491	Recent Topics	kunenamenu	view=topics&mode=replies	forum/recent
492	New Topic	kunenamenu	view=topic&layout=create	forum/newtopic
493	No Replies	kunenamenu	view=topics&mode=noreplies	forum/noreplies
494	My Topics	kunenamenu	view=topics&layout=user&mode=default	forum/mylatest
495	Profile	kunenamenu	view=user&layout=edit	forum/profile
496	Help	kunenamenu	view=misc	forum/help
497	Search	kunenamenu	view=search	forum/search

Joomla default template details : rt_quasar | author: RocketTheme | version: 1.0 | creationdate: September 11, 2011

Kunena default template details : NTS KRevista 2.0 | author: 9ThemeStore | version: 2.0.2 | creationdate: 2012-07-08

Kunena version detailed: Kunena 2.0.2 | 2012-09-02 [ Botschafter ]
| Kunena detailed configuration:

Warning: Spoiler!

Kunena config settings:
board_offline	0
enablerss	1
threads_per_page	20
messages_per_page	6
messages_per_page_search	15
showhistory	1
historylimit	6
shownew	1
disemoticons	0
template	nts_krevista
showannouncement	0
avataroncat	0
catimagepath	category_images
showchildcaticon	1
rtewidth	450
rteheight	300
enableforumjump	1
reportmsg	1
username	1
askemail	0
showemail	0
showuserstats	1
showkarma	0
useredit	1
useredittime	0
useredittimegrace	1800
editmarkup	1
allowsubscriptions	1
subscriptionschecked	1
allowfavorites	1
maxsubject	50
maxsig	300
regonly	1
pubwrite	0
floodprotection	0
mailmod	0
mailadmin	0
captcha	1
mailfull	1
allowavatarupload	1
allowavatargallery	1
avatarquality	75
avatarsize	2048
imageheight	800
imagewidth	800
imagesize	500
filetypes	txt,rtf,pdf,zip,tar.gz,tgz,tar.bz2
filesize	2000
showranking	0
rankimages	0
userlist_rows	30
userlist_online	1
userlist_avatar	1
userlist_name	0
userlist_posts	1
userlist_karma	0
userlist_email	0
userlist_usertype	0
userlist_joindate	1
userlist_lastvisitdate	0
userlist_userhits	0
latestcategory
showstats	0
showwhoisonline	1
showgenstats	0
showpopuserstats	0
popusercount	5
showpopsubjectstats	0
popsubjectcount	5
usernamechange	0
showspoilertag	1
showvideotag	1
showebaytag	1
trimlongurls	1
trimlongurlsfront	40
trimlongurlsback	20
autoembedyoutube	1
autoembedebay	1
ebaylanguagecode	en-us
sessiontimeout	1800
highlightcode	0
rss_type	topic
rss_timelimit	month
rss_limit	100
rss_included_categories
rss_excluded_categories
rss_specification	rss2.0
rss_allow_html	1
rss_author_format	name
rss_author_in_title	1
rss_word_count	0
rss_old_titles	1
rss_cache	900
defaultpage	recent
default_sort	asc
sef	1
sefutf8	0
showimgforguest	1
showfileforguest	1
pollnboptions	8
pollallowvoteone	1
pollenabled	1
poppollscount	5
showpoppollstats	0
polltimebtvotes	00:15:00
pollnbvotesbyuser	1
pollresultsuserslist	0
maxpersotext	50
ordering_system	mesid
post_dateformat	ago
post_dateformat_hover	datetime
hide_ip	1
imagetypes	jpg,jpeg,gif,png
checkmimetypes	1
imagemimetypes	image/jpeg,image/jpg,image/gif,image/png
imagequality	50
thumbheight	32
thumbwidth	32
hideuserprofileinfo	put_empty
boxghostmessage	0
userdeletetmessage	1
latestcategory_in	1
topicicons	1
debug	0
catsautosubscribed	0
showbannedreason	0
version_check	1
showthankyou	0
showpopthankyoustats	0
popthankscount	5
mod_see_deleted	0
bbcode_img_secure	text
listcat_show_moderators	1
lightbox	1
show_list_time	720
show_session_type	0
show_session_starttime	0
userlist_allowed	1
userlist_count_users	1
enable_threaded_layouts	0
category_subscriptions	post
topic_subscriptions	every
pubprofile	0
thankyou_max	10
email_recipient_count	0
email_recipient_privacy	bcc
captcha_post_limit	0
keywords	0
userkeywords	0
image_upload	registered
file_upload	registered
topic_layout	flat
time_to_create_page	1
show_imgfiles_manage_profile	1
hold_newusers_posts	0
hold_guest_posts	0
attachment_limit	8
pickup_category	0
article_display	intro
send_emails	1
fallback_english	1
cache	1
cache_time	60
iptracking	1
plugins	Array

| Kunena integration settings:

Warning: Spoiler!

Kunena - AlphaUserPoints Disabled
Kunena - Community Builder Disabled
Kunena - Gravatar Disabled
Kunena - JomSocial Disabled
Kunena - Joomla Enabled: access=1 login=1
Kunena - Kunena Enabled: avatar=1 profile=1
Kunena - UddeIM Enabled: private=1

| Joomla! detailed language files installed:

Warning: Spoiler!

Joomla! languages installed:
en-GB	English (United Kingdom)

Third-party components: UddeIM 2.8

Third-party SEF components: None

Plugins: None

Modules: None

I've denied people from viewing the member/officer forum by acces levels. That should be enough right?