MyBB Community Forums - 1.6 Security Management and Support

Is 1.6.18 considered "solid"

Sat, 26 Sep 2015 16:23:22 +0000

Unfortunately I have as many as 4 mybb forums and I am finding it terribly difficult to upgrade to 1.8. I feel it's only prudent for me to have a hard look at what other option I may have.

I have suffered from sql injection in the past and I hope some kind soul can give me guidance here, specifically on whether 1.6.18 is considered free of any known vulnerabilities.

Obviously I wouldn't want to go out of the frying pan into the fire, so to speak, so it would be kind if someone could guide me on whether 1.6.18 is considered pretty solid.

I have read the threads here and also the blog, but I haven't been able to grasp if the final version of 1.6 is considered to be as secure as 1.6 can be made.

I greatly appreciate any assistance.

How to stop a pathetic spammer-HELP!

Tue, 22 Sep 2015 04:47:23 +0000

hello friends,

I recently used mybb forum for one of my client

but he is struggling to ban a spammer

he banned him 2 times from different ip

but he keeps coming back.. i guess he is using some vpn

is there any way to ban some one .. no matter how hard they try.. or its not possible to do so?

he is using MyBB 1.8.6

mybb 1.6.4 Security patches

Fri, 04 Sep 2015 15:43:58 +0000

Hello!
Can you give me security patches for mybb 1.6.4, please?

http://blog.mybb.com/wp-content/uploads/...atches.txt - Page not found

Costum IP - Hide yourself

Wed, 26 Aug 2015 21:47:56 +0000

Hello there

I was wondering, can I totally fake my IP address by modifying the get_ip(); function in /inc/functions.php ? (the related file: https://github.com/mybb/mybb/blob/master....php#L3000 )

I tried to add this in the bottom of the get_ip(); function (just before the "return $ip;" )

if($mybb->user['uid'] == '3456')
{
	$ip = '64.233.184.94';
}

where 3456 is my user identifiant, and 64.233.184.94 a fake IP address, I want to replace the real one only for me...

But it doesn't work... (of course I have added the line "global $db;" at the top of the function get_ip(); )

Can you help me please ?

Mybb 1.6.15

Require moderate for approval for first post?

Mon, 03 Aug 2015 19:55:18 +0000

I have every spam plug-in available installed on my forum and it does absolutely nothing to stop the immense amount of spam bots from ruining the experience with constant spam. What I want to do is force moderator approval for a users initial post. Until that first post gets approved, no posts of theirs will show up.

This will allow me to simply ignore posts by spambots because my legitimate user registration is fairly small so I don't really need to worry about it very often.

Is there some sort of setting or plug-in that will allow me to force moderation for the new users first posts?

Super Admin

Fri, 03 Jul 2015 18:35:55 +0000

Hi mybb co-user,

This thread is related in my previous post Here

I find out that Super Admin in our forum is not just only (1) its (2) Super Admin, when i look in our config.php

The Super Admin no. 1 i already know because he is user no. 1 with ACP Access the i see in ACP panel..

The Second Super Admin i find out is far away number of user 1 and he is under "Newbie group" that no one can notify and he participating with us lately. (but i have doubt because his online activity, but i keep on secretly)

I dont know what his purpose of my friend? Im thinking he want to have a extra Hidden Super Admin? or undeletable account?

The second Super Admin can access ACP without in "Administrator group"? or it is safe what he do? is is safe what he do?

#NoobHere

Thanks for the future reply and help..

Want to change the Location of config file from /inc/config.php

Sun, 28 Jun 2015 00:53:26 +0000

Asalamo alikum ,
GUys due to some secuirty improvements i want to change the location of My Config file from /inc/config.php to another secure directory where Someone Can't fnd it easily

In Wp we have such plugins to do that, But any ways its can be done manually in few minutes,
I just wanted to ask that Which ( Modules / Files ) are using /inc/config.php in them so when i change its location in them manually i also change the location of this file in Acoording Db's Like in Admin n Others,

i'll be w8ing for ur rply

or someone give me a proper info about it

Need Help Banning A User FOR GOOD.

Tue, 02 Jun 2015 20:52:54 +0000

Hi there, we are having great troubles with a problematic user. We have banned his IP addresses correctly, but he just keeps on creating/using new ones somehow. I'm not sure what further steps we can take to prevent this person from signing up to our site. Any ideas would be greatly appreciated! The only idea I have is to shut down registration, but obviously that is not fair to others who wish to sign up. How does this individual keep signing up to our site with so many multiple IP addresses? And what can I do to prevent this from happening? I have banned about 50 or more of his thus far, and as soon as I do he just creates a new account that uses another IP address, is the problem. I've heard of proxy servers, which this person might be using I guess... Is there some way to prevent those from registering/signing up maybe?

Thanks mybb team,
Mike

EDIT: Sorry I noticed I posted this in the wrong section, should be in the Security threads. And also our forum is 1.6 not 1.8, I created this thread quickly as I'm on my lunch break - I'd delete it and re-post it there but as far as I can tell there is no way to delete my own post???
Sorry, it's been one of those days...

Custom profile field contents not retained

Wed, 20 May 2015 02:28:36 +0000

I have set up a custom profile field that is required during rego, as a means to determine whether the people are eligible/legitimate for the forum, before I activate them.

It has been strange that there was no data in this field when I go to activate new regos - they are completely empty.

I thought the "required" process was not working.

However, I have done some test regos to check this.

Data can be entered and it is certainly acting as "required" before rego can be completed.

Why are the entries to that field not showing up in the profiles?

I am using V 1.6.15. It also did not work prior to last upgrade.
Settings in Custom profile fields: Required: yes; Editable: Yes; Hidden: No
Image attached of that field's options. (I don't know what the 200 at the bottom means)

I look forward to your assistance.

Custom profile.png (Size: 77.71 KB / Downloads: 368)

anti-spam measures "stopped" working

Tue, 19 May 2015 19:41:20 +0000

Hi guys,

for years I've been able to block spam registrations/spam bots by:

1. auto check registrations against the stopforumspam.com database
2. requiring a security question at sign-up
3. having a hidden profile field only bots can see and will deny registration when it's used
4. captcha

However, since a few weeks we get a lot of (unactivated) registrations from spambots (read: about 100 or less), mostly from Poland etc. I'm not sure why this suddenly happens, while the anti-spam measures have been good for the past 7 years or so. And I'm not entirely sure what I can do about it, besides all the things I've already running to block these kind of things.

Any other advice how to deal with this?

* Running 1.6.16

1064 - You have an error in your SQL syntax

Sat, 04 Apr 2015 05:44:08 +0000

My site forum.mytabletguru.com is showing

MyBB has experienced an internal SQL error and cannot continue.

SQL Error:1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'index' ,'index_whosonline' ,'index_whosonline_memberbit' ,'forumbit_depth1_cat' ' at line 1QueryELECT title,template FROM mybb_templates WHERE title IN (' ,'index' ,'index_whosonline' ,'index_whosonline_memberbit' ,'forumbit_depth1_cat' ,'forumbit_depth1_forum' ,'forumbit_depth2_cat' ,'forumbit_depth2_forum' ,'forumbit_depth1_forum_lastpost' ,'forumbit_depth2_forum_lastpost' ,'forumbit_moderators' ,'forumbit_subforums' ,'index_birthdays_birthday' ,'index_birthdays' ,'index_loginform' ,'index_logoutlink' ,'index_stats' ,'forumbit_depth3' ,'forumbit_depth3_statusicon' ,'index_boardstats' ,'headerinclude' ,'header' ,'footer' ,'gobutton' ,'htmldoctype' ,'header_welcomeblock_member' ,'header_welcomeblock_guest' ,'header_welcomeblock_member_admin' ,'global_pm_alert' ,'global_unreadreports' ,'global_pending_joinrequests' ,'nav' ,'nav_sep' ,'nav_bit' ,'nav_sep_active' ,'nav_bit_active' ,'footer_languageselect' ,'header_welcomeblock_member_moderator' ,'redirect' ,'error' ,'global_boardclosed_warning' ,'global_bannedwarning' ,'error_inline' ,'error_nopermission_loggedin' ,'error_nopermission') AND sid IN ('-2','-1','3') ORDER BY sid ASC

I am able to access the dashboard.

In the "file verification" option two files is shown changed. No changes has been made from our side.

inc/functions.php

inc/class_templates.php

Plz suggest how to fix this.

[SOLVED] A banned user becoming an active user again (by itself)

Sat, 28 Mar 2015 21:26:14 +0000

Hi there
Something very strange has been happen on our forum this week.

An user (spammer) has been posting porn content almost every day, even I had banned him.
Initially I thought I was doing something wrong during the process (that is too simple), because in the next day we got the same user post the same porn content.

Today I checked the Moderator Logs and confirm I had already banned him four times (Mar 23, 24, 26 and 27).

Today I notice him accessing the forum at morning (still banned); afternoon (still banned) and now he was already "unbanned" (of course I banned he again).

So, it seems there is something that he can do and gain back his access. Is there any known vulnerability related to this?

Is there anything I can do to try discover how he are doing that? (becoming "unbanned")

I also noticed he was "reading no permission page" in during the banned status. What does that means?

We are using the MyBB 1.6.16.

Thanks in advance
Micheus

Same page get load. Not going on internal pages

Fri, 20 Mar 2015 05:30:10 +0000

For forum http://forum.mytabletguru.com
On clicking on any internal page link same page get refreshed. But the url is changed.

Plz help..

My forum redirect porn sites from smartphone

Sun, 22 Feb 2015 23:58:36 +0000

About a month, I realized that by opening the forum by smartphones with iOS(not tried android), I am redirected to porn sites.
If my forum opening to desktop computer all ok !
What do I control?
thanks 1000

My site is getting constantly DDoSed. - Help

Sun, 15 Feb 2015 20:05:22 +0000

My site is getting constantly ddosed and I'm so tired of it.

Are there any codes to protect the site I can add to myBB or something?
Do you guys have any tricks, and i dont know anything about servers i feel lost.