Private Messages


Subject: Private Messages
hi, im new here but have my forum on icy pheonix.

i have come across a serious (imo) security issue while using the user options in ACP

basically it allows admin to view members PRIVATE MESSAGES.
this is something i dont want as private messages should be just that PRIVATE.


is there a simple way of deleting this option from ACP?

when i enter ACP and click USERS 7 from top is PRIVATE MESSAGES it is this i want removing from my site.


any help/pointer glady recieved.

many thanks in advance :oops: :wink:

Profile PM  
Subject: Re: Private Messages
You can simply delete or rename with a non .php extension the file your_root/adm/admin_priv_msgs.php ;)



Edit: I don't think is a security issue. Can turn out to be useful in some cases of harrassments via PM, then you can check and prove it.

It should just be kind from the administrator to warn the users that pms can be read from admins ;)

Last edited by Vortex on Sun 14 Dec, 2008 18:49; edited 1 time in total
Subject: Re: Private Messages
Vortex wrote: [View Post]
You can simply delete or rename with a non .php extension the file your_root/adm/admin_priv_msgs.php ;)



have you simpleton instructions on how to do this?

im no technical genius :oops: :oops:

Profile PM  
Subject: Re: Private Messages
playmisty wrote: [View Post]
Vortex wrote: [View Post]
You can simply delete or rename with a non .php extension the file your_root/adm/admin_priv_msgs.php ;)



have you simpleton instructions on how to do this?

im no technical genius :oops: :oops:



If you installed Icy, I suppose you can use the FTP client ;)


Just connect and go to root(folder where you have Icy)/adm/ and delete the file admin_priv_msgs.php


(Personally I just rename it to admin_priv_msgs_php so that it no longer appears it ACP ;) )

Subject: Re: Private Messages
though it is still easy to read private messages as everything is stored in the database... so for security it is not really an issue...

Subject: Re: Private Messages
I've do this :
OPEN
Code: [Download] [Hide]
  1. your_root/adm/admin_priv_msgs.php 

FIND
Code: [Download] [Hide]
  1. <?php 

AFTER, ADD
Code: [Download] [Hide]
  1. if($userdata['user_id'] == 2) { 

FIND
Code: [Download] [Hide]
  1. ?> 

BEFORE, ADD
Code: [Download] [Hide]
  1. else { redirect(INDEX_MG.PHP_EXT); } 

Profile PM  

Page 1 of 1


  
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events

   

This is a "Lo-Fi" version of our main content. To view the full version with more information, formatting and images, please click here.

Powered by Icy Phoenix based on phpBB
Generation Time: 0.0866s (PHP: 20% SQL: 80%)
SQL queries: 11 - Debug Off - GZIP Enabled