There are vulnerabilities in MyBB 1.6.5 and we'll be releasing 1.6.6 to fix these towards the weekend. However, I don't believe you could utilize any of these to escalate permissions and upload a shell such as this and many of the vulnerabilities aren't in the public domain.
If you do locate a severe exploit, please use the 'Contact Us' link at the bottom of the page or post it in the Private Inquiries forum.
Sigh, why don't we stop pointing fingers at each other :-)
Sure, it could be some vulnerability on my server, just as it could be something myBB (plugin?) related.
I'm just telling what's happening from experience. Hopefully it will lead to something.
The hacker hasn't been back on the server yet, but I'm kinda hoping he will. I too see it as a challenge to get him off the server.
A few notes:
- I don't have the rogue image files anymore. I pressed delete too fast.
- I have never used mybb 1.6.4. I skipped that version.
If MyBB 1.6.5 had such an exploit, I'm sure many other forums would have been hacked right now...starting by this one I guess since this would sound the alarm to every MyBB website and cause panic everywhere
It may be one of the plugins you've got installed yes but it may also be your server.
Now, what is your site?
If you say gifs are being executed as php, then it's configuration on your server allowing people to upload an avatar with php in it's gif comment and so it executes.
(2012-02-01, 12:33 PM)USAF Wrote: [ -> ]If you say gifs are being executed as php, then it's configuration on your server allowing people to upload an avatar with php in it's gif comment and so it executes.
but notice he mentions that there is a rougue htaccess file that is telling the server to execute gifs as php via the AddType functionality
But wait...nginx doesn't even support .htaccess. So that doesn't matter.
Do you have access to the php.ini?