MyBB Community Forums

Full Version: Another Hack Attempt
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3
Someone just registered with this username: '.system($_POST[cmd]).'

As far as I know, nothing was accomplished.
Are you using the latest version, 1.1.5?
Yeah.

I don't get why MyBB is such a big target lately.
Same! Someone registered at my forum with that username. Their email address is [email protected] but I put in the email ban list .ru so why can users still register with such an email address?!
As long as you're using the latest version of MyBB then you shouldn't be too worried about this. Version 1.1.4 fixed the bug where such usernames could be used to gain information.
Perhaps a validation should be placed on new user names so that only alpha and numeric characters (and maybe the "_") can be used. Why deal with it on the back end?

Art Martin
Usernames should be checked via JavaScript and on the back end.

I think we should add a hook which allows plugins to veto usernames before they're entered in the database.
Javascript should never really be relied upon for checking user input. However, I'm sure some additional PHP code could be used on the registration page in future to block "illegal" username characters.
Well, I don't show my forum version to normal users and why should I? They aren't supposed to know which forum software version I am using.

Just remove it since the beginning and the hackers can't locate you in search engines and there are less chances of getting attacked over when new exploits are found.

Every hacker knowes how to check the forum version. You are using the latest 1.1.5

[Image: v1157si.gif]

So I realy don't see the reason to hide the version on the bottom of the board.
Pages: 1 2 3