Add More Membergroups Security Fix 1.0 There is a bug in the mod 'Add More Membergroups 1.5' that allows global moderators to read all passwords and even allow them to change restricted profile data like email or password. It's also possible for them to give any registred member administrator access. This fix will take care of all these problems. Michael Prager http://www.boardmod.org Sources/MemberGroups.pl unless( $settings[7] eq 'Administrator' || ($settings[7] eq 'Global Moderator' && $allowgmod_editprof)) { # reload values that can't be changed by global mod unless (-e "$memberdir/".$member{'username'}.".dat" ) { &fatal_error('user does not exist'); } &LoadUser($member{'username'}); $member{'passwrd1'} = $userprofile{$member{'username'}}->[0]; $member{'passwrd2'} = $member{'passwrd1'}; $member{'name'} = $userprofile{$member{'username'}}->[1]; $member{'email'} = $userprofile{$member{'username'}}->[2]; $FORM{'hideemail'} = $userprofile{$member{'username'}}->[19]; # don't allow to change postcount or position of edited member is admin or global mod if($userprofile{$member{'username'}}->[7] eq 'Administrator' || $userprofile{$member{'username'}}->[7] eq 'Global Moderator') { $member{'settings6'} = $userprofile{$member{'username'}}->[6]; $member{'settings7'} = $userprofile{$member{'username'}}->[7]; } # don't allow anyone but admin to change edited members position to admin if ($settings[7] ne 'Administrator' && $userprofile{$member{'username'}}->[7] ne 'Administrator' && $member{'settings7'} eq 'Administrator') { $member{'settings7'} = $userprofile{$member{'username'}}->[7]; }