MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > 1.6.4 Security Vulnerability
Full Version: 1.6.4 Security Vulnerability
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6 7 8 9 10

Tomm M

2011-10-13, 08:18 AM
We reported on Oct 6th that there was a vulnerability in MyBB 1.6.4 and advised on how to fix it on our blog.

If you are running a 1.6.4 forum, it's urgent that you apply this fix as quickly as possible. Visit our blog for instructions.

Checking for other security issues
If you haven't applied the fix yet, or you have been hacked recently, it's a good idea to check other areas to see if a malicious hacker has left back doors into your system. There are various methods to check for these.
  • Login to your ACP and go to Tools & Maintenance -> File Verification (on the left)
    • This will check core MyBB files to see if they have been edited
    • If a file is listed as being changed, and you haven't edited it, download the latest version of MyBB and replace these files
    • Take extra precaution if you have installed plugins that alter core files, such as Google SEO


  • In the ACP, visit the Tools & Maintenance area and click on the 'Check Templates' tab
    • This will check your templates for any security issues that may reveal your database information


  • Run a folder comparison using difference software
    • Please note that if you have a large forum, or use your forum's root folders for other purposes, this may take a while and use with caution
    • Download your forum's folders and files to your local computer
    • Download the latest version of MyBB from our website
    • Using software such as SourceGear's DiffMerge, you can compare folders - see the specific instructions for your software on how to do this
      • This process will compare the files from your forum to the official release - if there are any extra files, it will detect them and notify you (note, it will also detect custom images and uploads)
      • Check each different file to see if you have added it - if you have no idea what it is and it doesn't appear to be important, best to remove it from your server (keep a backup of it however, and if it appears in the uploads folder take extra precaution
      • If in doubt, ask us
Reporting Security Issues / Problems
If your forum has been hacked, then please start a new thread as each user may have different scenarios. Before starting a new thread, remember to search (for example, if you see error messages) to see if other users are having the same problems as you and methods to fix them.

If you think you've found a vulnerability in MyBB then please report it by Contacting Us with a security related message. Please only do this if you have a proof of concept - the ability to reproduce the vulnerability with a set of instructions.

nadlerz

2011-10-13, 09:37 AM
I encounter this yesterday.
Hopefully, everything was fixed already.
Thanks for the Fix, More power to MyBB.

Joshua Mayer

2011-10-13, 11:00 AM
I've stickied this thread, as it is important. Smile

Ruby

2011-10-13, 11:26 AM
I used your patch on October 8th. Now I run the Tools & Maintenance -> File Verification with this result

Seems to be a lot of work to fix it.

From my site too, thanks for your great work and the patch. Heart



Tomm M

2011-10-13, 11:32 AM
Ruby, have you altered any of these files or installed any plugins that might do this - to your knowledge?

If you haven't, download the files to your local computer and upload new copies from the latest version of MyBB. You can use the last step I mentioned in my post to compare the two files too - instead of comparing folders.

Ruby

2011-10-13, 11:44 AM
Hello Tomm

I am using some plugins, I edit this posting with the list of Plugins.
We had to edit the files of one of our Plugins, because it didn't work any more, but that has nothing to do with MyBB. By the moment I am downloading my forum to my machine.

These files have been altered any way:

ei 	Status
inc/cachehandlers/eaccelerator.php 	Changed
inc/languages/english/admin/global.lang.php 	Changed
inc/languages/english/archive.lang.php 	Changed
inc/class_templates.php 	Changed
inc/datahandler.php 	Changed
forumdisplay.php 	Changed
admin/modules/config/profile_fields.php 	Changed
index.php 	Changed
install/images/bullet.gif 	Missing
install/images/content_bg.gif 	Missing
install/images/error_bg.gif 	Missing
install/images/h2-admin.gif 	Missing
install/images/h2-config.gif 	Missing
install/images/h2-createtables.gif 	Missing
install/images/h2-dbconfig.gif 	Missing
install/images/h2-finish.gif 	Missing
install/images/h2-license.gif 	Missing
install/images/h2-requirements.gif 	Missing
install/images/h2-tablepopulate.gif 	Missing
install/images/h2-theme.gif 	Missing
install/images/h2-welcome.gif 	Missing
install/images/index.html 	Missing
install/images/submit_bg.gif 	Missing
install/images/tcat_bg.gif 	Missing
install/images/thead_bg.gif 	Missing
install/index.php 	Missing
install/resources/adminoptions.xml 	Missing
install/resources/adminviews.xml 	Missing
install/resources/index.html 	Missing
install/resources/language.lang.php 	Missing
install/resources/mybb_theme.xml 	Missing
install/resources/mysql_db_inserts.php 	Missing
install/resources/mysql_db_tables.php 	Missing
install/resources/output.php 	Missing
install/resources/pgsql_db_tables.php 	Missing
install/resources/settings.xml 	Missing
install/resources/sqlite_db_tables.php 	Missing
install/resources/tasks.xml 	Missing
install/resources/upgrade1.php 	Missing
install/resources/upgrade10.php 	Missing
install/resources/upgrade11.php 	Missing
install/resources/upgrade12.php 	Missing
install/resources/upgrade13.php 	Missing
install/resources/upgrade14.php 	Missing
install/resources/upgrade15.php 	Missing
install/resources/upgrade16.php 	Missing
install/resources/upgrade17.php 	Missing
install/resources/upgrade18.php 	Missing
install/resources/upgrade19.php 	Missing
install/resources/upgrade2.php 	Missing
install/resources/upgrade20.php 	Missing
install/resources/upgrade3.php 	Missing
install/resources/upgrade4.php 	Missing
install/resources/upgrade5.php 	Missing
install/resources/upgrade6.php 	Missing
install/resources/upgrade7.php 	Missing
install/resources/upgrade8.php 	Missing
install/resources/upgrade9.php 	Missing
install/resources/usergroups.xml 	Missing
install/stylesheet.css 	Missing
install/upgrade.php

Plugins

Some of them are deactivated for some reason:

stats.php Plugin abstellen (1.1)
Videolnk (0.9.1)
Embed video clips in your site
Akismet (1.2.1)
Latest Attachment Gallery (1.4)
Bad Behavior (1.0.0)
Erweiterte Foren-Statistik (1.4)
Fassim Anti Spam (1.21)
Goodbye Spammer (1.0)
Hello World! (1.0)
Iframe BBcode (1.0beta)
MP3 Player (1.0)
Shoutbox (2.2.0)
Stop forum spam (1.2)
Tube Video Gallery (1.4.0)
Usergroup legends (2.0)

Omar G.

2011-10-13, 11:50 AM
This was very annoying for me because I use php scripts, thanks for the path Big Grin

Ruby

2011-10-13, 11:58 AM
Hello Tomm

please edit your link in your first posting: download the latest version of MyBB .. perhaps to the home site because of file not found

Nathan Malcolm

2011-10-13, 12:11 PM
(2011-10-13, 11:58 AM)Ruby Wrote: [ -> ]Hello Tomm

please edit your link in your first posting: download the latest version of MyBB .. perhaps to the home site because of file not found

Just a typo. It should be download, not downloads.

RocketFoot

2011-10-13, 12:25 PM
I am running 1.6.4 and my index.php file seems to be updated already? Is this possible?
Pages: 1 2 3 4 5 6 7 8 9 10
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > 1.6.4 Security Vulnerability