Previous Thread
Next Thread
Print Thread
Hop To
#236482 04/30/2010 11:48 AM
Joined: Apr 2010
Posts: 4
L
stranger
stranger
L Offline
Joined: Apr 2010
Posts: 4
Hello, I am a moderator on a ubb board, and it was recently brought to my attention that another moderator has figured out a way to access the private pm's of other members. Unfortunately our Admins are all absent and so I cannot hand over this problem to them.

First off, how exactly does one do this? I'd like to find the settings to revoke this ability, if possible. The member who alerted me mentioned something about changing the post number to find the PM's, but he was unsure about it himself.

Would simply taking away all of his moderator privileges, and making him just a regular member, deny him the ability to do this? Or is it something else that is granting a backdoor to anyone with the technical know-how?

Any advice would be greatly appreciated!

Thank you.

Joined: Dec 2006
Posts: 1,235
veteran
veteran
Joined: Dec 2006
Posts: 1,235
You really need to bring this matter to the attention of the forum administrator when he or she becomes available and let them deal with it.

Even if it is possible, and I'm not sure that it is without direct Admin access to the database, it wouldn't be the correct policy for UBBC or it's members to give out such information in general.

Joined: Jan 2005
Posts: 186
member
member
Joined: Jan 2005
Posts: 186
I don't think there is a direct way to do it, but while looking into it I figured out a work around that if they have CP access could potentially be exploited. I don't really want to post the method though.

Taking away his moderator privileges should fix it on 7.5. I tested that changing the post number will not give him access in 7.5 What version of the software is that board running?

Joined: Apr 2010
Posts: 4
L
stranger
stranger
L Offline
Joined: Apr 2010
Posts: 4
As of now, the board is running 7.2.2, and yes, it was definitely a workaround move that had remained heretofore undiscovered.

I'm not particularly familiar with editing the board, plus since I'm only a moderator I doubt I'd have access to such a thing (which is probably a good thing, as I'd most likely mess it up). But if you could PM me with your suggestion, in order to keep it private, I could forward the how-to so he could change it for us.


Thank you for testing the limits of the moderator privileges on the newer version. Our admin won't be back on the boards until November at least, and that length of time with open access to PM's worries me. If there's any way I can do something about it in lieu of his absence, I will. However if it turns out I can't, all I can do is warn other members not to exchange too much personal information via PM.

Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
did they at least give you more access than just Moderator privs?

i mean, they bail until November and expect you to admin the board as a Moderator?

:wtf:

Joined: Dec 2003
Posts: 6,560
Likes: 78
Joined: Dec 2003
Posts: 6,560
Likes: 78
Nobody really addressed a fix.
But if the admins are out of touch and you have full access to the control panel.
First option is to remove that member as a moderator. (This may cause ill will to the member)
Also not knowing the work around that allows this leak.
Check to see if the member is in a special group that allows admin access in the control panel.
CP>> member management
Search for user and view what groups he is in.
He may inadvertently be added to the administrator group that would allow him to become a member. To view private topics.
If he is just in a moderator group and that group has cp access then you have a issue where it will impact all moderators.

If it were me I would ban him from the site due to abuse of access rights.

There is no legit reason to view another members private messages, Unless requested to do so by the member if they are having a issue with the feature.

Last edited by Ruben; 04/30/2010 4:40 PM. Reason: Added Comment

Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
Originally Posted by Ruben
There is no legit reason to view another members private messages, Unless requested to do so by the member if they are having a issue with the feature.
To address abuse or spam claims you mean tongue


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Dec 2003
Posts: 6,560
Likes: 78
Joined: Dec 2003
Posts: 6,560
Likes: 78
Exactly.
In my case, sometimes I use the become a member feature just to test permissions issues at the request of the member, But I never ever open the PT topics unless specifically requested to do so.
And to date I have never been asked to do so.
So even If I use the become a member and I see a message pending I don't open it for two reasons.Well maybe three.
1. It is none of my business.
2. If I open it it will be tagged as read so the user will never be notified they have a pending message when they re visit the site.
3. They may be talking about me.(LOL)


Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Joined: Dec 2003
Posts: 6,560
Likes: 78
Joined: Dec 2003
Posts: 6,560
Likes: 78
Back to my original statement I would ban the "SOB" for abuse of privileges.


Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Joined: Jun 2006
Posts: 811
old hand
old hand
Joined: Jun 2006
Posts: 811
I'll be 40 this year. I have no patience for stuff like this any more. I'd delete his account without hesitation and move on.

Joined: Jan 2008
Posts: 514
addict
addict
Joined: Jan 2008
Posts: 514
ditto

Joined: Jul 2007
Posts: 91
journeyman
journeyman
Joined: Jul 2007
Posts: 91
I have been on both sides of the fence as a Mod then an Admin for Absent owner and now as an Owner.

Just some points I want to make.

People lie. I have had cases where some said that there PM's were read and what happened is the other person or persons in the PM shared the information via email, phone or Instant Message. So really no unauthorized person read their PM's, but some one shared it with others.

As a Mod, not sure what you are able to do, on my board and the other board I was a Mod then and Admin, Mods do not have access to the control panel.

In this day in Technology I can't imagine that your board owner or Admin can't have access to a computer some where. Libraries have computer for people to use.

If you have access to the Control Panel, make sure that what you are told is true before making a move to remove a Mod from a board you don't own.

There can be a lot of backyard politics, adults acting like grade school children at play here or some members who have banned together to see if they can get a Mod they don't like removed.

So make sure you have all the facts before you do any thing.

Val


Joined: Mar 2007
Posts: 522
Addict
Addict
Joined: Mar 2007
Posts: 522
The tiger makes some very good points.


Steve

UBB.classic from 2000-2003
UBB.threads from 2003-present!
Joined: Jan 2008
Posts: 514
addict
addict
Joined: Jan 2008
Posts: 514
Yup Tiger does... I am just saying given the little bit of information we know what I would do. However, I wouldn't take any action until you knew beyond a reasonable doubt that this occurred.

Dunny

Joined: Dec 2006
Posts: 1,235
veteran
veteran
Joined: Dec 2006
Posts: 1,235
Originally Posted by Mitch P.
I'll be 40 this year. I have no patience for stuff like this any more. I'd delete his account without hesitation and move on.
Same here. Was 40 a couple of years back but take exactly the same stance. Funny how age and maturity influences you..... or just makes you more grumpy and less tolerant. mad grin

Joined: Mar 2007
Posts: 522
Addict
Addict
Joined: Mar 2007
Posts: 522
Originally Posted by Dunny
Yup Tiger does... I am just saying given the little bit of information we know what I would do. However, I wouldn't take any action until you knew beyond a reasonable doubt that this occurred.

Dunny

Actually, if he CLAIMED to have done it, even if he didn't, that ought to be grounds for demodding, too. He'd just be stirring things up.

And I turned forty about eleven years ago.


Steve

UBB.classic from 2000-2003
UBB.threads from 2003-present!
Joined: Jul 2007
Posts: 91
journeyman
journeyman
Joined: Jul 2007
Posts: 91
This is one of these situations where I think you make sure you have your facts straight and retain any posts where he said that, I would make a PDF file of that post.

I don't keep members or Mods around that make it their mission in life to Stir the Pot. All I am saying is to make sure that the facts are correct before you take action.

I am 40+++ years old also, so I am not some young thing that takes things at face value. I want the Facts. If the Facts are so muddled in a He said/she said situation then I at that point just use my best judgment.

Val da Tiger

Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
I feel so young all of a sudden (27) lol...

But as a longtime forum owner, really this decision should lie with them, regardless of weather they're away or not... They obviously decided to staff said user for a reason...


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Apr 2010
Posts: 4
L
stranger
stranger
L Offline
Joined: Apr 2010
Posts: 4
This particular mod had his banning privileges revoked after an incident last year, and our admin never particularly liked him to begin with. So the mod has been pestering everyone to get his full mod privileges restored, but that was never going to happen. He also confided to another mod (who confided in me) that "he's glad to leave an online elitist clique of misanthropes" and that he wants out. So I've been in touch with another admin via phone (since he moved he hasn't had internet access) to keep him appraised of the situation.

And no worries, I've been trying to quietly gather my facts and make sure my ducks are in a row before I take any action. I'll think I'll just have the one admin send him a quick PM and cancel his moderator status today.

The lack of admins is frustrating. We had/have three, and one hasn't been back on since February. The other, like I mentioned, moved, and the main admin is currently managing a Senate campaign and just doesn't have the time to get to the site. If I'd thought about it, I should have gotten his cell number before he went on hiatus, so I could let him know if something like this needed to be taken care of. But the admins trust my judgment, and know that I'm not a backhanded kind of person who does stuff behind others' backs. So I'll try to get in touch with the admin who moved, so he can take care of things, even if he has to drive to Starbucks or Panera for the free WiFi, lol!

Joined: Jan 2005
Posts: 186
member
member
Joined: Jan 2005
Posts: 186
I agree with making sure that you have all the facts first. Can you try to email all of the admins and see if someone can grant you admin control to take care of the site while they are away?

Joined: Apr 2010
Posts: 4
L
stranger
stranger
L Offline
Joined: Apr 2010
Posts: 4
Well, luckily the main admin stopped by and took care of the problem Mod for us. I also notified him of the potential problem with the current software version we're running.

I'd like to thank everyone for all of your input! I really appreciated it! grin

Joined: Jul 2007
Posts: 91
journeyman
journeyman
Joined: Jul 2007
Posts: 91
I am glad your problem got resolved. You Admins. need to be accessible to handle problems.

Joined: Aug 2004
Posts: 460
Addict
Addict
Joined: Aug 2004
Posts: 460
So the only way a (global) mod with CP access would be able to access another user's PMs is by logging in as that user from the CP?

This would leave a trace in the admin logs, so it would be easy to see who did so and when (logged in as another user).

Or was another method user, one that cannot be detected by the main forum admin?

Joined: Jun 2006
Posts: 16,292
Likes: 116
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,292
Likes: 116
Even mods with "full access" I don't think can see the "Become User" link; I think that they have to actually be an admin.

As for the action, I think that the "become member" link does log in the CP.


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Dec 2003
Posts: 6,560
Likes: 78
Joined: Dec 2003
Posts: 6,560
Likes: 78
Well I refrained from posting on this subject at first.
Giz is correct on his assumption.
Even if a Mod has cp access there are limitations on what features they can access such as become a member.
If you have admin access you could use this feature and then delete the admin log afterward.
But I would never ever attempt to do so. No mater what the situation.
I only use become a member when a user is having a issue to resolve. And I Inform them I am doing so.


Blue Man Group
There is no such thing as stupid questions. Just stupid answers

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
3 members (rootman, Gizmo, Nightcrawler), 562 guests, and 186 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)