MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > Forum Hacked
Full Version: Forum Hacked
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

primster7

2008-04-12, 11:08 PM
Someone hacked my MYBB forum through the avatar and upload folder.

I would like it so that I can have an avatar and others can't upload anything.


I tried the 666 settings like suggested in the docs, but it will not display my avatar for some reason for everyone.

I tried just uploading it and setting both folders to 555 and that seems to work. I just want to make sure the 555 is secure and that nobody can upload to those folders. Should I add a .htaccess file?

I tried the remote avatar with my same avatar that works and nothing happens.

Any help would be appreciated.

michaelh

2008-04-12, 11:22 PM
This security loophole was fixed in a recent version. As with all software exposed to the internet, MyBB should regularly be updated to the latest version for optimal security and stability. I recommend that you update your forum to MyBB 1.2.12 immediatly to prevent re-occurrences of this. This way, you can continue offering the avatar service to all your users without the risk of being hacked again.

Mike

Dennis Tsang

2008-04-13, 03:12 AM
You can disable avatar uploads in Admin CP --> Users and Groups --> Manage Groups --> Registered Usergroup. Change the "Can Upload Avatars" permission to "No"

User 2877

2008-04-13, 06:43 AM
Join the mybb mailing list so you can be notified of new updates as well.

primster7

2008-04-13, 09:37 AM
Thanks for the information. It's a good thing that I had a backup of the database.

MrD.

2008-04-13, 01:35 PM
labrocca Wrote:Join the mybb mailing list so you can be notified of new updates as well.
I find it easier to subscribe my RSS reader to the "Announcements" forum's RSS feed, faster than waiting for the email.

primster7

2008-04-13, 07:12 PM
Ok - I upgraded to the latest 1.2.12 and for some reason whenever a registered user or myself (admin) logs off I get this message:

Your user ID could not be verified to log you out. This may have been because a malicious Javascript was attempting to log you out automatically. If you intended to logout, please click the Logout button at the top menu.


Do you know what could be the problem?

User 2877

2008-04-13, 07:55 PM
Look for the logout problem sticky in the support forum.

primster7

2008-04-13, 09:38 PM
labrocca Wrote:Look for the logout problem sticky in the support forum.

Thanks!

Worked perfect...

Thanks for the great support.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.2 Series > MyBB 1.2 General Support > Forum Hacked