My forum get hacked, i don't know how he did it, i guess it is sql injection attack!
My forum having VIP section, he somehow inject some code to make VIP open to all new registered member. I only found out this issues 2 days later (=.=") and fix it back, but i think the mybb vulnerabilities is still there and he can do it again.
I checked the admin log, nobody have done so it should be from outside injection, devs please try fix this issues else i have to change to use other more secure forum system.
p/s: i am using the latest mybb copy. The vulnerabilities is there!
Title Wrote:forum get hacked by sql injection
(2012-07-13, 10:21 PM)yes123 Wrote: [ -> ]My forum get hacked, i don't know how he did it, i guess it is sql injection attack!
---
The MyBB forum software doesn't offer a VIP module by default. Probably you are using a bugged plugin.
(2012-07-13, 10:40 PM)Omar G. Wrote: [ -> ]Title Wrote:forum get hacked by sql injection
(2012-07-13, 10:21 PM)yes123 Wrote: [ -> ]My forum get hacked, i don't know how he did it, i guess it is sql injection attack!
---
The MyBB forum software doesn't offer a VIP module by default. Probably you are using a bugged plugin.
It is just another sub-forum for limited group access, no plugin needed!
He just inject code to make it open to all members, now even tracing the server log ip also couldn't find out who did it, bcos many new members have access it within 2 days.
are you sure it was an injection and not just a bad permissions configuration? has the VIP Section been there a while or is it new?
You have no evidence this has anything to do with SQL injection or any form of hacking. Please don't hurt MyBB's reputation with baseless claims like this.
And this is why many users feel threads like this should have to be approved.
(2012-07-14, 12:31 AM)brad-t Wrote: [ -> ]You have no evidence this has anything to do with SQL injection or any form of hacking. Please don't hurt MyBB's reputation with baseless claims like this.
It is a hacking for sure!
Cover up the true won't helps.
(2012-07-13, 11:02 PM)pavemen Wrote: [ -> ]are you sure it was an injection and not just a bad permissions configuration? has the VIP Section been there a while or is it new?
I guess it is some kind of injection attack.
Before that happens, many bots registering in my forum and posting abnormal posts with funny script and even in their signature, i just deleted them.
Now i think of it, it might be related.
(2012-07-14, 03:25 AM)yes123 Wrote: [ -> ] (2012-07-14, 12:31 AM)brad-t Wrote: [ -> ]You have no evidence this has anything to do with SQL injection or any form of hacking. Please don't hurt MyBB's reputation with baseless claims like this.
It is a hacking for sure!
Cover up the true won't helps.
Unless you can provide proof your claims have no ground. You can't say you think it was SQLi without any proof of concept.
There are no known public vulnerabilities in the latest version of MyBB. If there was they'd target forums much larger than yours.
(2012-07-14, 03:30 AM)Nathan Malcolm Wrote: [ -> ] (2012-07-14, 03:25 AM)yes123 Wrote: [ -> ] (2012-07-14, 12:31 AM)brad-t Wrote: [ -> ]You have no evidence this has anything to do with SQL injection or any form of hacking. Please don't hurt MyBB's reputation with baseless claims like this.
It is a hacking for sure!
Cover up the true won't helps.
Unless you can provide proof your claims have no ground. You can't say you think it was SQLi without any proof of concept.
There are no known public vulnerabilities in the latest version of MyBB. If there was they'd target forums much larger than yours.
When a vulnerabilities is known in public, ppl already abusing it for months.
Cover up the true won't help.
(2012-07-14, 03:37 AM)yes123 Wrote: [ -> ]When a vulnerabilities is known in public, ppl already abusing it for months.
Cover up the true won't help.
When vulnerabilities are made public we patch them within days, if not hours. There are no known vulnerabilities in the latest version of MyBB.
We're not covering anything up, we have no reason to.