MyBB Community Forums

That is a big problem since it is -- IIRC -- included in every MyBB installation.

I am sorry but there is absolutely no possible way that an SQL injection or any other kind of hack could be forced via the Hello World plugin.

If the plugin is disabled it can't do anything, if it is enabled all it does is edit the $post["message"] to display a message.

If it is disabled the only way to enable it is if someone has access or your site was already hacked. Further more, the only way that it could be edited is if the file itself was edited. There would be no way for them to hijack the entire $page or $post variable and certainly not via that plugin.

The plugin does not take any input values and as such there is no entry point for a malicious user

(2012-07-31, 09:18 PM)RedCP Wrote: [ -> ]

(2012-07-31, 03:46 PM)pavemen Wrote: [ -> ]please share the plugin name and version with the support staff and perhaps contact the plugin author to inform them of the vulnerability. this way the plugin can be removed from the mods sites and if popular enough, the staff may post details about the exploit so others can defend against it.

It was that "Hello world!" plugin.

No way, are you trolling?

Haha ... I should have assumed as much.

Now I am trying to breathe because I am laughing so much. Hello World takes no user input, so there can't be any entry point for a vulnerability.

There is no way you were hacked through the hello world plugin. It does nothing to the db, tAkes no user input, just like everyone else said.

Didnt he say that it put a message in all the forums?

Whilst I can see no possible way to do this as there are no DB actions and no user input, it is possible that the user found some other route into the server and altered this file and enabled it which would possibly display a message, however this was not the entry point and disabling the plugin would fix it.