MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > Registered user got Admin Rights
Full Version: Registered user got Admin Rights
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

prabhu.chinnee

2006-06-30, 07:00 AM
Hello,

We are installed MyBB1.1.2 in our site http://www.xploreforums.com. But someone registered as str0ke. I dont know, how he got Administrator Rights. He delets Admin user and he sets board status offline and puts an redirection to http://kabustr.com//by-kabustr-hackedz/hackedtrex.php. Please tell me how it happens....

Advanced Thanx

makpaolo

2006-06-30, 07:21 AM
update the forum to 1.1.5 for fix this bug.

Dennis Tsang

2006-06-30, 07:27 AM
Yup. The hacker probably used an exploit that was patched in 1.1.4/1.1.5.

prabhu.chinnee

2006-06-30, 08:07 AM
Hello MyBB Team,

Thanx for your replies. I already upgraded to 1.1.5. But i want know that how it happens... is it SQL injection or what? Please tell me...

makpaolo

2006-06-30, 08:15 AM
sorry, but since it is a serious problem they won't be given information for you evirate that this thing happens to whom has not adjourned mybb yet

edit:
read this http://community.mybboard.net/showthread.php?tid=10111


excuse me for my bad english

Galen

2006-06-30, 10:12 AM
Ah, "str0ke." I've deleted his account twice already from my board. Good thing he never caught me running anything but the latest version Smile

prabhu.chinnee

2006-06-30, 11:05 AM
Hello MyBB Team,

Here i want to give some information about that user str0ke. He registered from following IP 88.224.99.16. If you think its useful, please suggest to all users of MyBB Board Software.

With Regards

Martin M.

2006-06-30, 02:05 PM
makpaolo Wrote:sorry, but since it is a serious problem they won't be given information for you evirate that this thing happens to whom has not adjourned mybb yet
Actually this is viewable for most users that can search. It was an SQL injection, yes.

prabhu.chinnee

2006-07-01, 11:23 AM
educating users after giving the fix is no bad, actually, it is not advisable to post about things openly and everyone recommend intimating the development team (when a new bug appeared or when you find some vulnerability etc) ONLY when it takes time for FIX to be released.

once the fix is out and users are intimated about, it will be nice to post about in the respective forum so users who didnot encounter this can know about and implement that fix in their site.

keeping things CONFIDENTIAL before fix is made is acceptable sir, and even though we donot conflict with your thoughts but we feel it would be nice if users are educated about possible effects and fixes in a more effective way eliminating the communication gap,

Hope you got my point know sir

Thank You

jonmoseley8

2006-07-01, 03:54 PM
Galen Wrote:Ah, "str0ke." I've deleted his account twice already from my board. Good thing he never caught me running anything but the latest version Smile
I have banned his account to stop him hacking with that account. Smile
http://www.rccarsource.com/forums/showth...hp?tid=172

And it seems that he has also wrtitten scripts to hack vB too
http://www.milw0rm.com/author/842 Wink

I always upgrade almost instantly to the latest version, 1.1.5 was no exception. I upgraded within about 1 to 1 1/2 hours after the patch was released. Smile
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > Registered user got Admin Rights