MyBB Hacks

Full Version: Admin Can Login as Any User
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7 8 9
Hey all.
I'm new to mybb, just playing around with setting up a site.
Installed this plugin, and it's GREAT!
Works just like it should.
Using for purpose intended...to check permissions with tester account. Nice to not need to log out, then into Tester, then back to my account.
Super.
Thanks.
Hi Yumi,

PHP Code:
function admhijack_login()
{
	global $mybb,$admhijack_config;
	if(
		(
			(
				# User is not a root user
				$mybb->usergroup['cancp'] != 'yes' && $mybb->usergroup['cancp'] != 1
			)&&(
				# configuration NOT set
				!isset($admhijack_config['leader_group'])
				# Not a leader
				|| $admhijack_config['leader_group'] != $mybb->user['usergroup']
				# No Staff for this leader
				|| !$admhijack_config['have_staff']
				# Leader trying to become admin
				|| !$mybb->input['uid']
				|| !$admhijack_config['admin_upto']
				|| $mybb->input['uid'] <= $admhijack_config['admin_upto']
			)
		)
		|| $mybb->input['do'] != 'hijack'
		|| !$mybb->input['uid']
	){return;}


I am experimenting with the above changes and it is working, how ever I would like your review on this, this is for a big forum, I don't want some one to get unauthorized access.
Thanks

Well, all it is, is logic, so if that all makes sense to you, I don't see what there's to review.
Your 'uid <= upto' check is interesting, and potentially problematic.

But otherwise, I don't see why you'd grant non-admins the ability to log into other accounts, so I can't provide any advice from my understanding.
Thanks Yumi for replying, uid <= upto are my own uids, (say upto first 20 users) created to become leaders, but not admin.
Is this still maintained?

I cannot get this working with MyBB 1.6.17

Any suggestions or alternatives?

When activated I get no additional options under users profiles, though it installs fine.
If I use the function mod posted earlier I get an error on line 15 until the addon is removed.
Check that {$modoptions} exists in your member_profile template.
IIRC this will not work if the admin links are to be hidden (config.php).
How would you only show the login link to profiles with less than X posts? Basically so if the magic number was 100 posts, admins cannot login to an account with more than 100 posts.
You could use a template conditional to do that, but a clever admin could probably work around it.

You'd need to explicitly change the plugin otherwise, if that's what you wanted.
Does this plugin work with MyBB 1.8 ?
Pages: 1 2 3 4 5 6 7 8 9
Reference URL's