2008-10-07, 02:54 PM
2008-10-07, 03:25 PM
(2008-10-07, 11:40 AM)Te 8 Wrote: [ -> ]I have multiple servers, at one time in the past MyBB was the first thing on it before other things were added.
So you're telling us you installed MyBB before you installed MySQL?? Do you also put your shoes on before your socks??
(2008-10-07, 11:51 AM)xiaozhu Wrote: [ -> ](2008-10-07, 11:40 AM)Te 8 Wrote: [ -> ]I guess this is why MyBB is free an vBulletin isn't. One is worked on by professionals who give you professional advice and support free from insults and flaming, the other is programmed by amateurs in their free time, and the support you get consists mainly of fanboys who actually know very little about the software but have a lot to say anyway.
Keep up the good work guys.
Indeed, you can go ahead and pay for "better support" and "better software".
Or you can always inform the MyBB Team to make MyBB better and more secured, instead of blaming/ranting onto a free software.
Exactly, we still have no idea how your forums were hacked and what happened, so how can anyone do anything about it?? And we still have no idea how you're so sure it was even MyBB.
(2008-10-07, 12:33 PM)lufbra Wrote: [ -> ]I find it ironic that you haven't got the time to check for updates, yet you can spend your valuable time posting rants here. This would not have been necesary had you used a more "professional" software in the first place!
Good point. All the time spent posting here, you could have checked you were using the latest version hundreds of time.
2008-10-07, 04:17 PM
Obviously the server has MySQL and many other things on it (what a really silly thing to say). It's pretty obvious I'm referring to web applications. I have lots of servers, all hosting lots of different websites on each machine. All have equal chance of being hacked in that regard. It's only the two with MyBB that were hacked, both in the same way, and as I said before, on one of them it happened when MyBB was the only website I'd put on it.
Now it's possible that by random chance and against the statistics and evidence, it was something else that was hacked, and for some reason only happened on those two servers and not the others, but when I see that MyBB has had high risk vulnerabilities fixed and I'm running an old version, I draw a conclusion - possibly incorrect, but that isn't actually relevant: It's a FACT that MyBB has had and will have security vulnerabilities, and it was these I wanted to discuss.
I don't see how your last post has added anything to the discussion. In fact, I don't see how many of the posts did. Someone here makes something up or draws a conclusion without all the facts, and then I have to correct it, and it doesn't help either of us. How long will we keep it going on like this? 5 pages? 10?
Imagine for a moment that this was a professional support contract, and a customer raised an issue, and the response was to presume the customer was lying, and look for holes in his story, never actually touching on the issue or helping.
By all means verify that the problem wasn't caused in some other way if it looks unlikely it was caused by your software. A good method is to suggest common causes and how to find them (in my case, the common cause is insecure PHP scripts, and I can rule out other scripts). And do so in a way that doesn't insult the customer or his intelligence. The goal is obviously to keep the customer, and help him solve his query.
Now it's possible that by random chance and against the statistics and evidence, it was something else that was hacked, and for some reason only happened on those two servers and not the others, but when I see that MyBB has had high risk vulnerabilities fixed and I'm running an old version, I draw a conclusion - possibly incorrect, but that isn't actually relevant: It's a FACT that MyBB has had and will have security vulnerabilities, and it was these I wanted to discuss.
I don't see how your last post has added anything to the discussion. In fact, I don't see how many of the posts did. Someone here makes something up or draws a conclusion without all the facts, and then I have to correct it, and it doesn't help either of us. How long will we keep it going on like this? 5 pages? 10?
Imagine for a moment that this was a professional support contract, and a customer raised an issue, and the response was to presume the customer was lying, and look for holes in his story, never actually touching on the issue or helping.
By all means verify that the problem wasn't caused in some other way if it looks unlikely it was caused by your software. A good method is to suggest common causes and how to find them (in my case, the common cause is insecure PHP scripts, and I can rule out other scripts). And do so in a way that doesn't insult the customer or his intelligence. The goal is obviously to keep the customer, and help him solve his query.
2008-10-07, 04:21 PM
Lufbra just pointed out all the hole I was about to. Seriously you're not being consistent with your story.
You haven't given us any real facts. You have basically told us to trust you that it was mybb.
That sounds more like a statement from a religious person.
I normally see what bugs were fixed and if it's a security update I find what has changed. This helps me understand where the exploit was. I really don't get your point about wanting to know if it's a "mistake" or "bad design/planning". It sounds very insulting to the hard working volunteers of mybb development team. They have been very good at patching and releasing security updates. Since I run a large hacker forum which is under CONSTANT attack I am going to assume mybb is secure AS LONG AS YOU UPDATE.
And if you think a project isn't up to secure standards and practices you should not use it. Whenever I decide to try a new software I check it's code and see it's written. I check it's changelogs too. You claim being a coder. Start acting like one.
And do you release your software publically? It greatly increases the chance of exploits being found. Really..the whole tone of this thread and your statements are just downright insulting.
EDIT: I posted this while you made your post Te8. I will say you make a point but really your last post is the first one to explain in more detail your issues. You bluntly state the mybb installs were old unpatched versions. Why should it come as a surprise they were exploited? And if you aren't aware the last mybb update (1.4.2) was the direct result of an external security audit. One that Chris paid for out of his pocket. This is how serious mybb does take it's security. Mybb is still a fairly young project and as it grows it's security will also grow. If you really are worried about security and you are not going to update often then maybe mybb isn't the right project for you to work with.
Quote: I'm not even going to bother explaining this any more, it's like explaining science to a religious person. They ignore all the facts, and just make stuff up.
You haven't given us any real facts. You have basically told us to trust you that it was mybb.
Te 8 Wrote:You could just trust me. It doesn't matter for the immediate discussion.
That sounds more like a statement from a religious person.
Quote: I wanted to know the nature of what caused it because I wanted to see whether it was a mistake, or bad design/planning, whether it's likely to happen again.
I normally see what bugs were fixed and if it's a security update I find what has changed. This helps me understand where the exploit was. I really don't get your point about wanting to know if it's a "mistake" or "bad design/planning". It sounds very insulting to the hard working volunteers of mybb development team. They have been very good at patching and releasing security updates. Since I run a large hacker forum which is under CONSTANT attack I am going to assume mybb is secure AS LONG AS YOU UPDATE.
And if you think a project isn't up to secure standards and practices you should not use it. Whenever I decide to try a new software I check it's code and see it's written. I check it's changelogs too. You claim being a coder. Start acting like one.
Quote:Matt: I do create software more complex than MyBB all the time and I make it secure from the outset by following good programming principles like those I was taught.
And do you release your software publically? It greatly increases the chance of exploits being found. Really..the whole tone of this thread and your statements are just downright insulting.
EDIT: I posted this while you made your post Te8. I will say you make a point but really your last post is the first one to explain in more detail your issues. You bluntly state the mybb installs were old unpatched versions. Why should it come as a surprise they were exploited? And if you aren't aware the last mybb update (1.4.2) was the direct result of an external security audit. One that Chris paid for out of his pocket. This is how serious mybb does take it's security. Mybb is still a fairly young project and as it grows it's security will also grow. If you really are worried about security and you are not going to update often then maybe mybb isn't the right project for you to work with.
2008-10-07, 04:24 PM
(2008-10-07, 04:17 PM)Te 8 Wrote: [ -> ]Obviously the server has MySQL and many other things on it
Exactly!! So the server had MySQL, who's to say that wasn't hacked?? You are pointing the finger solely at MyBB which is just wrong. How can you be so adamant it's MyBB but not explain how?? Once that is cleared up, I won't post in this thread anymore. You can't just claim MyBB is as insecure as you say but not explain.
2008-10-07, 05:52 PM
(2008-10-07, 04:21 PM)labrocca Wrote: [ -> ]if you aren't aware the last mybb update (1.4.2) was the direct result of an external security audit. One that Chris paid for out of his pocket. This is how serious mybb does take it's security. Mybb is still a fairly young project and as it grows it's security will also grow.Yes, this is good news. Someone could have reassured me about this straight away, instead of starting an interrogation.
(2008-10-07, 04:24 PM)Matt_ Wrote: [ -> ]Matt it's clear you don't know much about anything. I admire your fervor but this doesn't even deserve a reply. Frankly I can't believe you're so amazed a webserver has MySQL installed on it.(2008-10-07, 04:17 PM)Te 8 Wrote: [ -> ]Obviously the server has MySQL and many other things on it
Exactly!! So the server had MySQL, who's to say that wasn't hacked?? You are pointing the finger solely at MyBB which is just wrong. How can you be so adamant it's MyBB but not explain how?? Once that is cleared up, I won't post in this thread anymore. You can't just claim MyBB is as insecure as you say but not explain.
2008-10-07, 05:56 PM
I'm not 
When did I say that amazed me?? 
What I don't know is why you think MyBB was vulnerable over anything else. That's it, all I'm interested in, as I said above.
When did I say that amazed me?? What I don't know is why you think MyBB was vulnerable over anything else. That's it, all I'm interested in, as I said above.2008-10-07, 05:58 PM
I've explained why...
(2008-10-07, 04:17 PM)Te 8 Wrote: [ -> ]I have lots of servers, all hosting lots of different websites on each machine. All have equal chance of being hacked in that regard. It's only the two with MyBB that were hacked, both in the same way, and as I said before, on one of them it happened when MyBB was the only website I'd put on it.
Now it's possible that by random chance and against the statistics and evidence, it was something else that was hacked, and for some reason only happened on those two servers and not the others, but when I see that MyBB has had high risk vulnerabilities fixed and I'm running an old version, I draw a conclusion
2008-10-07, 06:00 PM
Everything running on your server can potentially be exploited if it has security flaws, not just the web software running it on. That includes things like Apache and MySQL if they aren't kept up to date, heck even the Operating System could be at fault if it isn't patched.
2008-10-07, 06:12 PM
(2008-10-07, 06:00 PM)MrDoom Wrote: [ -> ]Everything running on your server can potentially be exploited if it has security flaws, not just the web software running it on. That includes things like Apache and MySQL if they aren't kept up to date, heck even the Operating System could be at fault if it isn't patched.I know.
