Regarding the "Debug mode, change users password" Vulnerability

[Chris Boulton]

Hi,

It has come to our attention that users have discovered what they believe to be a vulnerability in MyBB with the lost password functionality and debug mode.

We want to make it clear this is not a vulnerability in MyBB and has hugely been miss-reported and identified by "HACKERS PAL" the group who "discovered it".

The supposed vulnerability states that using the MyBB debug mode users can see the challenge code we save in the database for password resets and this can then be used to change the password of a user.

Lets look at the facts:

• The ?debug=1 mode parameter is only available to Administrators who can also change the password of a user using the Admin CP.
• If for some reason debug mode is publicly accessible and someone does manage retrieve an activation key, it will just reset the password of the user and MyBB will email them a new one - the person attempting this "exploit" would not be able to specify a new password for the user or see the newly generated one.
• The debug mode is a list of queries. If this were a true exploit it could be stated that the debug mode also allows you to see things such as registered email addresses being checked in the back end, login keys, encrypted passwords and password salts.
  

We're treating this vulnerability as bogus due to the above reasons.

If for some reason you do have the debug mode functionality accessible to the public (either by a code modification yourself or someone else) then we recommend you disable it.