Ticket #343 (fixed bug)
Moderators can ban other moderators
- Created: 2011-03-10 14:14:37
- Reported by: Franz
- Assigned to: Franz
- Milestone: 1.4.5
- Component: security
- Priority: high
It is currently possible for moderators (if they are allowed to ban users) to ban other moderators. This should not be allowed.
History

- Status changed from fixed to open.
To reproduce, click the Ban button without entering an username.
File: C:\xampp\htdocs\fluxbb145master\admin_bans.php
Line: 62
FluxBB reported: Unable to fetch group info
Database reported: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 (Errno: 1064)
Failed query: SELECT g_moderator FROM groups WHERE g_id=
Franz 2011-03-13 17:48:38

Ah, I think I forgot to hide the ban button for moderators on moderators' profiles. I will look into it.

There are 2 other ways to do this on the Bans page.
1) Edit an existing ban entry
2) Add a ban entry but don't enter the moderator's username on the 1st page, but do it on the 2nd page.
Franz 2011-03-22 01:31:16

- Status changed from open to fixed.
Ok, after Quy's recommendation I now prohibited banning moderators altogether in 8e3c445.
This could theoretically still be circumvented by banning the IP of a moderator (or administrator, for that matter). If you don't mind, I won't add this before 1.4.6, though.

In check_bans function, a partial/immediate solution is to add the default moderator group (PUN_MOD) to the check which would cover most installs.
// Admins aren't affected
if ($pun_user['g_id'] == PUN_ADMIN || !$pun_bans)
return;
Franz 2011-03-22 13:02:30

Still wondering whether this would be good. Banning administrators won't work anyway, so in some (rare, weird) cases you might actually want to ban their old IP.
For moderators, things get complicated. We'd also need to decide which IP address to use (the newest, I suppose) and whether that would cause any damage.
Reines 2011-03-22 13:12:56

To be honest I wouldn't bother with worrying about banning IP addresses of moderators/admins, since due to dynamic IPs and so on it's basically impossible to make it work 100%.

Yes, because it does not make sense to ban an administrator/moderator and not move the banned user to a non administrator/moderator group.
Franz 2011-03-22 16:15:23

Well, Quy, the problem would be that "evil" moderators could try to ban another moderator via their IP even though it shouldn't be possible at all.

That is why I suggested adding the default moderator group to be excluded in the check_bans function.
Franz 2011-03-22 16:37:38

Gotcha, makes sense. Especially as I now prohibited banning moderators. I misunderstood your point earlier, sorry.
And thanks, I'll do that in a few minutes.
Franz 2011-03-22 16:52:38

Ok, I've committed b4937b4, which does this in a slightly simpler way and for all moderators.
So we should really be done with this now.
One more, only slightly related thing: expired bans are not deleted when admins or mods browse the board, due to the way the check_bans() function is constructed. Should we change this?
Reines 2011-03-22 18:51:25

Nah, they will be deleted when any non-admin/mod browses so that's good enough.