REGISTER or LOGIN to have the annoying ads removed.
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
My Mybb 1.6 Forum hacked?
very appreciative masterzufu Smile
(Dec 15, 2010, 12:20 AM)MasterZuFu Wrote: Aside from that, you shouldn't be putting down any thought that MyBB might have an exploit that hasn't been made public yet. You tell me the last hacker who found and exploit and wanted to tell the world so it could be patched....why do that when you can have fun fun fun all day long and not have anyone know what's wrong? If there really is an exploit for 1.6 you're a dumbass for not looking at it seriosly.

I have never once said that there is absolutely categorically not a single vulnerability in MyBB, but saying "I've been hacked and they're just telling me it's MyBB" does not mean that we go to Defcon 1 red alert and start panicking trying to find what it could be. Of course we keep it in mind and look for patterns in reports, but simply being told you got hacked via MyBB is not information we can do a lot with, I'm sure you can understand that. There may well be a vulnerability that hasn't been released, I've never said that's impossible, but short of looking over every line of code in the software, we can't do much, and that's assuming there even is a vulnerability. We're always on the lookout for possible issues and fix the ones we know of, and we always investigate credible reports. There's little more we can do than that to make sure we're secure. It's not a case of not wanting to admit it's our fault, if there is something we can fix, we release an update to patch it, but we cannot fix a problem we do not know about, or that we have no information on, that much is obvious. It's like trying to find a needle that may not even exist in a whole field of haystacks. As you can see, we've just released 1.6.1 which fixed some XSS issues, which was something that was reported to us, and was something we could actually fix.

What I might do though is write something for the MyBB forums for people to give what information they do have after they've been hacked. Do you still have your server access logs?? An XSS attack would show up clearly in access logs. Run the file verification tool to make sure no files have been edited.
Matt, I apologize for coming off as harsh as I did. I've been the guy in the middle before and had everyone ignoring me time and time again, waiting weeks and weeks for a response to a thread and only getting junk support. From the posts you had made earlier, it seemed more to me like you were ignoring the possibility of a vulnerability and was more concerned with holding up the name of the MyBB security and method than actually giving support. I understand completely that you can't go on defcon 1 red alert just because some guy says there's a vulnerability, but you don't have to say "well, just because you say it's MyBB's fault, doesn't mean it is" and then not even provide any actual support. If you had actually given support when you said that it wouldn't have been so bad to me, but you didn't and it came off to me (and to him judging from his response to your response) that you weren't interested at all in actually giving support, rather, reclaiming the high name of MyBB.

With that said, thank you very much for your response (and for the news of MyBB's newest release which I hadn't heard of yet Tongue). Suggestion: what would it take to place security measures in MyBB that would enable administrators to simply click a button "report" and it generate a report that would give you, the MyBB support team, the information and data you need to detect if there was a vulnerability or not when the forum was hacked? Just curious.
I'll admit my original replies were hardly great either, I can see exactly what you mean, so I apologise for that too.

The problem with having it automated is it'd be hard to actually tell what information is needed. I mean if it was a form or something that people filled out when they got hacked they could explain what actually happened; defacement, admin perms removed, new user with admin perms, files uploaded etc. However then we'd have to analyse every plugin they had installed to see if any of them could have caused it, and often people who get hacked have well over 50+ plugins installed. Then they'd probably need to upload a portion of their access/FTP log to see if that helped. But there's no guarantee this would do anything, what if the admin used crap passwords, or got phished, or got keylogged, or their email account was hacked and someone reset their password, or they went and left their admin account logged on on a public computer, or it was some other software/hosting account on the server at fault... there's so many variables with this that it's unlikely that even if all the information I've mentioned was given, we'd be able to track down where exactly in the code the issue was. However, I'll give it some thought and see if I can think of a way to do it well; I guess even if 100 reports lead to nothing, if 1 leads to finding and fixing a vulnerability, it'd be worth it.
I think that may be too tedious then. It wouldn't be 100 reported, it'd be like a couple thousand, and sifting through all that data would be like finding a needle in a proverbial hay stack. You'd have to have something more exact than that to get anything at all. If something like the server got rooted by means of another website, then this report would tell us nothing as far as how it was hacked, because they guy came in from the inside and all MyBB would see is maybe a changed password.

I think the best way to be sure is to build MyBB in a way that comes default security enhanced, like the way Ubuntu server comes default with all ports closed, so should MyBB come in a way that locked everything down and has to be manually opened. I see security tips and whatnot all over the place, but why isn't MyBB built with those security features already done? Like, include a few .htaccess files with the default MyBB install that blocks access to certain files and directories. Heck give MyBB access to modify .htaccess and create .htaccess and .htpasswd files from the admin panel (I'm not sure how plausible that would be, the directories would have to have upload permissions etc. etc., so not sure that's such a good idea). But including a .htaccess file preinstalled that can be modified via the admin control panel, I think that's possible, not sure though. And you could have it where they can click "yes" for admin password on the ACP, and then type a password and username there in the ACP and it updates the .htaccess file or something.

I don't know, I'm just kind of rambling. I know that people use what software they have, and if comes default then they rarely learn how to change it from the default, so, if a software company wants to protect their stuff, they have to send it default and give instructions on install on how to open it up as needed. Rather than generating a thousand bland reports to sift through, I would find it more beneficial to just lock down the system and make it easier for admins to set it up how they want it upon install, the least this could do is reduce the number of reports and hacks being reported for lack of security knowledge.

Possibly Related Threads...
Thread Author Replies Views Last Post
  mybb change forum date - time RPG 3 3,855 Apr 19, 2017, 12:53 AM
Last Post: Barbarjreusser
  How to stop forum spam in MyBB forums WallBB 5 2,814 May 08, 2014, 10:32 PM
Last Post: Rebel
  MyBB Mobile Forum – How to make your forum work best on portable Devices WallBB 0 1,286 Sep 21, 2013, 02:49 AM
Last Post: WallBB
  myBB Forum Permission Errors CruciasNZ 1 1,655 Apr 17, 2013, 03:56 PM
Last Post: gamor
  Mybb forum header attempted editing and messed my forums up help please leen12 2 2,284 Mar 29, 2013, 01:15 PM
Last Post: leen12

Forum Jump:

Users browsing this thread: 1 Guest(s)