Hi there,
Our forum at Joomlashine.com has caught a problem that we think is a bug of Kunena forum.
I would like to show the steps to reproduce the issue here:
- In Kunena backend, create a new Category "Test Category" and set the option "Review posts" to "yes":
screencloud.net/v/4oun
- Now prepare 2 registered usernames (both of them are not forum moderators), let's take them as "User1" and "User2"
- Login as User1 and create a new thread "Test Thread" in "Test Category". Now the new thread is created, a moderater has to approve the new thread, go ahead and approve the post.
- Login as User2 and create a reply in "Test Thread", using the bbcode confidential, for example:
Code:
Hello,
[confidential]This is my private information[/confidential]
This reply must also be approved by a moderator. The content inside the Confidential syntax should only be shown to Moderators and the owner of the reply (User2)
- Now is where the problem occurs. Login with a moderator username and approve the reply of User2. This action will notify User1 about the response of User2 via email. In this email, the whole content of User2's reply will be sent, including the confidential information:
screencloud.net/v/g10M
In forum posts, it's displayed fine (only moderators and reply's owner can see the confidential information)
- In addition, if anyone who has subscribed the thread "Test Thread", they will be notified about the answer of User2, and of course will see the private information of User2.
This is a serious security problem that I hope Kunena developers can help investigate and solve for future update.
For any information please contact me at
[email protected]
Thanks and Regards,
Anh
