UBB.Developers Forums General Discussion Suggestions and Feedback shocking error in 6.2 & 6.3b4 versions

I dont know how to describe it.. On the board is error allows users change group to admin and login as any admin.
I dont know how...???
2 days ago, one of my user, get himself admin privs and delete my database - only on forum, because I have adminlogs.

Month ago, this same person delete base on another forum...

I would venture that's not possible in an unmodified version. They would need database access to do that.

I'd do some checking of your admin scritps and make sure you update them with a fresh clean copy of 6.3 from the member area.

If it's a legimate bug - then it needs to be reported at http://community.infopop.com

I have tried several times when logged as a user to "break" it and gain access to it. The reason being that my board is for "by invitation only" people and I don't want guests to evesdropping in what we post. Trust me on this, the security features are pretty tight!

In addition to what Josh said, you can use a fresh copy of your version and with Beyond Compare compare the files to see where a problem might exist.

hmm.. but it happened not only on my forum...

independent of this bug, I think there should be a way to limit power of admins.

sort of a second class admin, who at least cannot give arbitrary database commands!! Or a super-moderator with increased power.

Do you have an admin log that says the username of the person that gave the commands? Maybe the person cracked that password for the database and acesses it directly? your database allows remote access? did you study the security precautions in mysql.org (?)

Or maybe they log into your server?

If I remember correctly you ran a highly modified 6.1 site. I as Josh has stated would suspect a bad hack. On a clean install I see no way to get in. Unless a hack your using lets someone gain access to your database password and user i see no way to do it.