No I mean is it OK to do that myself?
And (still one more question, sorry) - that entry of the alleged database backup done by myself - does that mean that my database was actually downloaded by someone else?
Yes to both questions (unfortunately for the last one too...). In theory you may have been luckily enough to have closed the connection in time to avoid a full dump...(e.g. switching page) .
I think that's plain catastrophe.
The engine should not have had that ability to initiate backups to a voluntary 3rd party IP address...
Maybe you should update you blog post to reflect my case, because it appears that if I didn't follow your instructions and didn't login into the Admin panel, I may have avoided this leakage in some way. If I'm not mistaken, it's login to the Admin Panel that triggers the leakage?!
(2014-11-17, 03:55 PM)Maechlis Wrote: [ -> ]I think that's plain catastrophe.
The engine should not have had that ability to initiate backups to a voluntary 3rd party IP address...
Maybe you should update you blog post to reflect my case, because it appears that if I didn't follow your instructions and didn't login into the Admin panel, I may have avoided this leakage in some way. If I'm not mistaken, it's login to the Admin Panel that triggers the leakage?!
It won't be a security issue if you log in now. Basically, here is what happened and how this worked.
MyBB essentially checks a certain URL to fetch the latest version of MyBB, and then compares it with its current version. If a more recent version is released, it will notify you. Generally, plain text is expected from that URL (e.g. 1.8.2), and it's not ordinarily a security issue because there is no user input as a part of what is fetched.
What essentially happened with this incident was that the github account of one of the maintainers was compromised, and the version file that stores information on the most recent version of MyBB was edited as a result to have a malicious script instead of the plain text version number that was expected. Because the versions do not match the version code that MyBB forums run with, the script will be outputted onto the page by MyBB, which will allow the hacker to download a database backup of your forum.
The issue is no longer present because the script code was removed from the MyBB version file on the MyBB website, and will no longer be fetched when you log in. You will be able to safely log into your ACP now without worrying about having a breach of security.
Darth Apple:
Well that's get me puzzled, because if it's been safe to log in
today then why I got my DB leaked today?
Once again, I did not log in in between 14th and 15th. I logged in only today.
Here's now, what I see in my admin log.
[
attachment=33027]
In the first column, there's my own nickname. In the last column, there's my own IP address. The second column suggests that the backup was made today (not on 14th or 15th),
exactly at the moment when I logged in.
Or this timestamp is incorrect and actually the malicious backup was on 14th or 15th?
UPD: checked in the parallel thread and this behavior is the matter of update_check cache. Anyway, I'm puzzled, because my Version Check task is scheduled with a 24h period, so this should have been already renewed to the clean version since the matter was resolved on the MyBB side. Why heven't it?
The task was executed during that period of time and therefore the update_check cache was updated with the malicious code - this is the issue here. Then you logged in today and you ended up executing that malicious code when visiting the ACP index page. It only gets updated IF a new version is released (they set it to 1803 so right now, unless people rebuild their cache, it won't update until 1804 gets released).
Then as I said above it makes sense to adopt your blog recommendation to that case. Because I think there are lots of people now who read the post, go to their ACP and have the malicious code executed, like I had it.
Perhaps they would better disable the admin panel backup first (by modifying the php code or something)!
You can delete /admin/modules/tools/backupdb.php just to be on the safe side. I've already done this on my forum.
I think this was answered already in the thread, but just to be sure - this vulnerability should not have affected 1.6 boards correct?
Thanks to the staff for clearing this whole security mess up quickly!
(2014-11-17, 05:23 PM)Maechlis Wrote: [ -> ]Then as I said above it makes sense to adopt your blog recommendation to that case. Because I think there are lots of people now who read the post, go to their ACP and have the malicious code executed, like I had it.
Perhaps they would better disable the admin panel backup first (by modifying the php code or something)!
I'm not sure I'm following you. I mention in the blog post to clear the cache entry. Are you suggesting that I suggest people to delete the backup module first?
@jshort it affects all boards.
I'd like to note that right now it's still targeting the backup module but it can change at any minute (e.g. deleting users).