Todd and Tyler Unauthorized Forums

Bud

So private messages really aren't 100% private?

__________________
Time is Short

Click Here, Free Naked Ladies

2007 TNTU.net Fantasy NASCAR Champion !!!

lilyvon schtupp

__________________
A man melts the sands so he can see the world outside.--U2, Lemon

Dave

Actually, private messages are stored in the database just like posts, so if I was interested in reading them I could. I think I've made that point before. It does take a little work though I think to match up recipient id's and sender id's to a message.

In this case however, I took care of problem by running a database query on the "pm_text" and "pm" tables to say "DELETE from <the table> WHERE fromuserid = 3645". 3645 is the userid for "Jeannette". I didn't have to browse through the private message table one by one, looking for spam messages.

Its a good question, and one that I've tried to address in the past. Yes, anybody that has access to the database your forum is using can read private messages. Obviously, its a frowned upon practice.

To curb the practice, and make them "more private", you can make sure that you delete your "sent" message as soon as you send it, and make sure that the recipient also delete's the message after reading it. Once the message is deleted by the sender and the recipient, it isn't saved anywhere in the database.

On this site, I'm the only administrator, and the only person with access to the database. In a normal vB environment, members assigned "administrator" status can only see the total number of private messages a person has. You need a different kind of access (via the database) to actually view the messages.

__________________
"Perverting the court of justice"
--------------------------------------------
Todd and Tyler Streaming
Questions, comments, concerns?
Contact the Empire

harmany

oh dave i love when you talk geek

__________________
BIG XII NORTH CHAMPIONS
GO TIGERS!!!

Bud

Thanks Dave.

Unless you know Floris.

__________________
Time is Short

Click Here, Free Naked Ladies

2007 TNTU.net Fantasy NASCAR Champion !!!

Dave

I don't know what that means. Floris from vb.com?

__________________
"Perverting the court of justice"
--------------------------------------------
Todd and Tyler Streaming
Questions, comments, concerns?
Contact the Empire

Bud

Or Dream.

Floris and Dream both have add ons to vbulletin that make it very simple and easy to read PM's of anybody.

Super Admins can Read Private Messages - vBulletin.org Forum

Read PMs - vBulletin.org Forum


I am in no way implying that our admin is reading our PM's, I would like to think that our admin is above that, only that PM's are not as "private" as you may think. Regardless of the site you are on.

I'm only showing this so that you can cover your ass, especially in todays world.

I'm not sold on this either. I always delete my PM's. And on more than one site, this one included, I have experienced a board having to goto a backup due to a software problem or who knows what. Anyways I've had deleted PM's show back up.

So don't go telling stories of how you killed your mother-in-law and buried her in the neighbors back yard in PM's.

__________________
Time is Short

Click Here, Free Naked Ladies

2007 TNTU.net Fantasy NASCAR Champion !!!

ob1

Dave, I think you have addresssed the issue with more disclosure and better ethics then what I have been involved with in the past with other boards. Thanks for being direct.

PM's are private only in the sense that they cannot be read publicly by the members of the site.

Bud

Ditto. If it wasn't for Dave sparking my interest I would still have a false sense of security.

I guess no more dealing Pugs on the black market via PM's.

__________________
Time is Short

Click Here, Free Naked Ladies

2007 TNTU.net Fantasy NASCAR Champion !!!

Dave

Yes, I agree, I don't mind talking about security and access. A lot of boards/sites don't even mention who their admins or mods are, so I always try to make it a point that I'm the only one with that access.

If your ever curious about a vbulletin site, the "admins can read PM's" hack is easy to spot if you're thinking about joining a vB message board. If you visit the site's forum, and try to go to this url:
http://thesite.com/theforumurl/admincp/pm.php

Iff you see an administration log in page, then the hack is installed, if you get a "page not found" message, or are redirected to the site's home page, the hack isn't installed. You can use this whether you're a registered member to the forum or not.

__________________
"Perverting the court of justice"
--------------------------------------------
Todd and Tyler Streaming
Questions, comments, concerns?
Contact the Empire

ob1

Thanks for the insite Big Guy!

Bud

Good trick.

But doesn't the other one hide in the regular control panel?

__________________
Time is Short

Click Here, Free Naked Ladies

2007 TNTU.net Fantasy NASCAR Champion !!!

Dave

Yes, but the other one puts a file called "read_pms.php" in the admincp folder, so to check for both hacks, look for a "pm.php" and "read_pms.php" in the "admincp" folder of the vBulletin installation on the site.

__________________
"Perverting the court of justice"
--------------------------------------------
Todd and Tyler Streaming
Questions, comments, concerns?
Contact the Empire

lilyvon schtupp

__________________
A man melts the sands so he can see the world outside.--U2, Lemon