I don't think it's a jpg vulnerability - I can't imagine how someone could get access to php files using such exploit. I'd rather guess that this is a php or server-level exploit.
I wasn't stating that it was a .jpg vulnerability or even an attachment venerability necessarily. One can name any kind of file to have a .jpg extension, and would seem the extension of choice to use for posting an attachment, since virtually all forums will accept these file types.
I'm on the same page as most in thinking that this is a PHP fault, but that file that was posted by the user had to have some type of purpose. It wasn't there just to look like a disguised .jpg file.
(2011-10-11, 02:16 PM)moze229 Wrote: [ -> ]I wasn't stating that it was a .jpg vulnerability or even an attachment venerability necessarily. One can name any kind of file to have a .jpg extension, and would seem the extension of choice to use for posting an attachment, since virtually all forums will accept these file types.
I'm on the same page as most in thinking that this is a PHP fault, but that file that was posted by the user had to have some type of purpose. It wasn't there just to look like a disguised .jpg file.
but at least the in case of MyBB, the image is validated by GD getimagesize and unless valid dimensions are returned, the attachment is refused. As least in the case of images. You need, as an admin, need to be responsible for other attachment types.
(2011-10-11, 03:21 PM)pavemen Wrote: [ -> ]but at least the in case of MyBB, the image is validated by GD getimagesize and unless valid dimensions are returned, the attachment is refused. As least in the case of images. You need, as an admin, need to be responsible for other attachment types.
Thanks for the lecture pavemen
Looking at your signature, I've been to your site many times. Followed links from Dodgeforum. Can't say that I'm a member though. I'm not a four-wheelin' kinda guy. I can't believe that I never noticed you were running MyBB.
Thanks all for your input. I'll keep an eye out for the exploit, although I'm sure the issue will be found and patched long before I get a chance to figure out anything.
Thanks frostschutz. I wasn't even aware of that patch.
The vulnerability frostschutz mentions may or may not exist on your forum. If it exists, follow the steps to remove it.
(2011-10-12, 11:51 AM)seminar techi Wrote: [ -> ]can anyone solve this problem http://community.mybb.com/thread-105718-...#pid770794 its similar one
Please start your own thread if you feel that your issue is that far separated from mine. It appears to be similar, but not exact. There appears to be a specific method of injecting MyBB's PHP files right now. Read this thread in full, and if you aren't satisfied with a solution or feel that this is not related, start another thread.
OK - I take that back. The link is to your thread. LOL
(2011-10-12, 11:27 AM)Tomm M Wrote: [ -> ]The vulnerability frostschutz mentions may or may not exist on your forum. If it exists, follow the steps to remove it.
I just followed the directions of the patch release. Whether or not it is related exactly to my specific problem is way beyond my brain's capability to determine.
I have had this same problem today with error messages being mailed to me everytime the front page (index.php) is accessed. Looking at this file, I see that it was modified at 0751 this morning and I know I didn't do it. So looking at the file "index.php" using a text editor, I see that a line of code has been added at the very end of the file. I've commented it out, resaved it and, hopefully, the problem is solved. The question remains, how can anybody get to this file and add to it the way that they have. Is it easy to find because my folder name that the site is run on is in the folder /myBB/ ? Even so, how do they edit it? I run the web server myself on my own network and it's also behind a port...............
Also just seen this related post which patches the file index.php - I followed the manual instructions, so hopefully, this problem will not reappear.......
http://blog.mybb.com/wp-content/uploads/...atches.txt