MyBB Community Forums

MyBB Community Forums > Extensions > Plugins > Plugin Development > Myshoutbox - SpiceFuse exploit readonly
Full Version: Myshoutbox - SpiceFuse exploit readonly
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Blackdown

2011-08-24, 10:01 PM
Hello,

This exploit permit to user to read the shoutbox even if the user is banned or not logged.

Repository : https://github.com/SabriHaddouche/Mybb-Exploit-Shoutbox
Mod : http://mods.mybb.com/view/myshoutbox

Diogo Parrinha

2011-08-25, 01:03 AM
Going to give that a try.
Everyone can view the shoutbox without being logged in if the admin decides to. Going to look into that now

Btw, what do you mean by banned? Banned from the shoutbox or the forums?
SpiceFuse shoutbox does not have Shoutbox banning.

Blackdown

2011-08-25, 01:08 AM
Banned from the forum and… some people do not show their shoutbox to the public.

Diogo Parrinha

2011-08-25, 01:09 AM
(2011-08-25, 01:08 AM)Blackdown Wrote: [ -> ]Banned from the forum and… some people do not show their shoutbox to the public.

Yes I just figured that out. Fixing it right now.

Thanks!

Blackdown

2011-08-25, 01:17 AM
You're welcome,

the url is here : https://github.com/SabriHaddouche/Mybb-E...ap.php#L41

xmlhttp.php?action=show_shouts

Don't forget to follow me on GitHub, have a nice day !

Diogo Parrinha

2011-08-25, 01:23 AM
Just in case someone else reads this thread, MyShoutbox 1.6 has just been released and it fixes the security hole.

Blackdown

2011-08-25, 01:31 AM
Enjoy

Diogo Parrinha

2011-08-25, 01:32 AM
Enjoy what?

Blackdown

2011-08-25, 01:39 AM
the fix

Diogo Parrinha

2011-08-25, 01:40 AM
Oh Toungue

By the way, instead of making it public, perhaps contacting the author would be more clever next time if you find a security hole somewhere else.
Pages: 1 2
MyBB Community Forums > Extensions > Plugins > Plugin Development > Myshoutbox - SpiceFuse exploit readonly