$1 000: If you can move or delete a post that you are not supposed to be able to

[LoyceV]

The topic title comes from Security bounties:

$1 000: If you can move or delete a post that you are not supposed to be able to

The Auctions board has this description:

Auctions may optionally be placed in this section. Topics and replies in this section can't be modified or deleted.

There's a long known "bug", which I've just tested and confirmed: if I move a topic from Auctions to another board, I can edit or delete my own posts, and then move it back to Auctions. This shouldn't be possible.

Proposed solution: users shouldn't be able to move topics into or out of Auctions.

I broke the bounty requirements:

You must report the bug to the bugs email address listed on the contact page. You must not publish it elsewhere or share it with anyone else.

This was on purpose because this bug has been mentioned before. I'm only posting it now because it's explicitly mentioned on the bounty page.

[LoyceV]

So you chose full disclosure rather than responsible disclosure

Yes.

i wonder how theymos feel about this.

I think I won't get the bounty

But what do you mean by "There's a long known "bug""?

I've mentioned this possibility before. I just didn't know it's in the Security bounty list. And since it's about deleting or editing your own posts and not someone else's posts, I assumed it isn't what the bounty was meant for.
Following the bounty protocol would make it look like I'm after the bounty, for something that looks like "semantics" to me.

[DaveF]

If was mentioned it before and nothing was done then you did nothing wrong in the spirit of disclosure. Once it's been discussed and out there bringing it up again is fine.
Actually it's better since it means that if something does 'go wrong' because of it there is no hiding the fact that it's known.
Don't know what could really happen except some people doing some bad things in the auctions section in terms of bids, but that is somewhat easily resolved with your and other post scrape bots.

-Dave

[Upgrade00]

The topic title comes from Security bounties:

$1 000: If you can move or delete a post that you are not supposed to be able to

If you take the literal explanation of the bounty on moving and deleting a post you are not supposed to and compare that with the auction rule, it could be said that it still stands and you "can not" move or delete a post you're not supposed to; while the post is in the auctions board, it's impossible to edit, when you move it to another board it conforms to the rules of that board, if you move it back to auctions; again, you cannot edit it. Just like how you can start a thread as self mod and remove that feature, even though it should not be possible.

This is definitely something that can be exploited, I'm just not sure it is in accordance with the bounty agreement.

[PrimeNumber7]

I know the selfmod flag is removed when you move a thread when the OP moves it into a section that disallows self-moderation.

You could potentially edit your post if you created a thread outside of auctions and subsequently moved it into auctions. There are also auctions in the collectibles section whose posts can be edited/deleted.

If you were to move a thread out of auctions, if the thread is appropriately located in the other sub, the OP should have the ability to edit their posts.

[dkbit98]

There's a long known "bug", which I've just tested and confirmed: if I move a topic from Auctions to another board, I can edit or delete my own posts, and then move it back to Auctions. This shouldn't be possible.

Have you checked the latest news about top secret to-do list made by theymos?
I hear it's getting bigger every day, it's directly connected with market value of Bitcoin, and it's going to be cleaned with new forum software.

Proposed solution: users shouldn't be able to move topics into or out of Auctions.

I don't think this is a good solution because you will always have people making topics in wrong boards, so they will have to be moved eventually.
Maybe simple solution for this board would be to edit desciption into something better, or changing the rules slightly.

I think I won't get the bounty

You are simply not fit to be a bounty hunter...

[theymos]

I don't think that this should be eligible for a security bounty in any case because things are essentially working as intended: you're supposed to be able to move topics out of Auctions, and you're supposed to be able to edit posts outside of Auctions.

Edits are not allowed in Auctions mainly to prevent people from being able to edit their bids, in replies. I suppose there is a potential issue with collusion between the OP and auction participants, and perhaps there are edge cases where the OP could somehow do evil by editing or deleting their own posts in the thread, so I made it no longer possible to move your topics out of Auctions.

[LoyceV]

I don't think this is a good solution because you will always have people making topics in wrong boards, so they will have to be moved eventually.

They can still use Report to moderator.

I don't think that this should be eligible for a security bounty in any case

I didn't think so either. Just some click bait in the title.

Edits are not allowed in Auctions mainly to prevent people from being able to edit their bids, in replies. I suppose there is a potential issue with collusion between the OP and auction participants, and perhaps there are edge cases where the OP could somehow do evil by editing or deleting their own posts in the thread, so I made it no longer possible to move your topics out of Auctions.

Thanks! The only abuse I can still think of, is reporting the topic to move it to another board, after which OP can "do evil" and move it back