MyBB Community Forums

(2008-10-09, 01:28 PM)Matt_ Wrote: [ -> ]

(2008-10-09, 01:02 PM)alexro Wrote: [ -> ]

(2008-10-08, 11:37 PM)NetSage Wrote: [ -> ]And I'm going to take a wild guess and say you have kept your forums up to date with the latest patches too.

Yes, I updated my boards with the latest patches and updates in maximum 48 hours after the updates was released.

Like everyone should, and it probably explains why you haven't been hacked. People staying at 1.2.14 now is one thing, but not updating 1.4 when you can is silly.

1.4 Isn't a exploit fixing release. So it shouldn't matter, since 1.2.x is still supported. And has been updated along with the 1.4.x releases.
Ofcourse everyone is better of updating, but they are secure until the next exploit is found.

True, but it's still a good idea to update, especially as 1.4.2 was because of a security audit.

And had 1.2 been updated since 1.4?? I thought 1.2.14 was the last release and that was before 1.4

(2008-10-09, 04:40 PM)Matt_ Wrote: [ -> ]True, but it's still a good idea to update, especially as 1.4.2 was because of a security audit.

And had 1.2 been updated since 1.4?? I thought 1.2.14 was the last release and that was before 1.4

Yes but it has been patched since then. Just check the MyBB 1.4.2 thread.

(2008-10-09, 06:19 AM)DennisTT Wrote: [ -> ]It was originally in General Support.

Oh okay, that explains it all. Apologies.

(2008-10-09, 08:01 PM)CraKteR Wrote: [ -> ]

(2008-10-09, 04:40 PM)Matt_ Wrote: [ -> ]True, but it's still a good idea to update, especially as 1.4.2 was because of a security audit.

And had 1.2 been updated since 1.4?? I thought 1.2.14 was the last release and that was before 1.4

Yes but it has been patched since then. Just check the MyBB 1.4.2 thread.

So it was, hadn't noticed that.

(2008-10-11, 01:21 AM)ZiNgA BuRgA Wrote: [ -> ]

(2008-10-09, 06:19 AM)DennisTT Wrote: [ -> ]It was originally in General Support.

Oh okay, that explains it all. Apologies.

I guess Te 8 finally got the picture, I reckon Dennis's post did it

Funny, it seems TE 8's only problem here is that, for some reason, TE 8 was not aware of the latest release. And therefore, he was running an 'old' version of MyBB.

Being he has "clients" using this software, wouldn't it be his fault, and not MyBB's, that he was hacked due to his lack of diligent support, ensuring that the latest version of MyBB was installed for his "clients"?

Only once has my forum ever been "attacked", but it was by a spammer, and it was my fault for not applying the proper settings to prevent it from happening.

I can honestly say that, in my experience, MyBB is probably the most secure free forum software currently available and I trust that the MyBB team will keep it that way.

As an admin, or "service provider", it is their job to "keep-up" on software updates and install them ASAP. IT IS NOT, necessarily, the responsibility of the developers of any software to ensure that ALL USERS of said software receive notice of such updates. Simply by 'signing up' for such a service does not always guarantee you will be informed.

I am very happy with MyBB and I have never used any software that claimed to be the "FINAL VERSION" due to it being so perfectly written that it will never need another "fix" or "update" for the rest if its existence. Obviously, there is "abandoned" software that has become the "final version". However, MyBB is not one of them.

Interestingly, after reading all of this thread, what the actual attack was, we still don't know. Hmmm....
What we do know, is that he was not running the latest version. His fault, not MyBB's.

From the initial post:

Quote:...and only find out about the severe problems when I got complaints about my server hosting phishing scams. And every time the culprit is the same: MyBB.

I am no expert by any means, but I think not! It seems to me that "phishing" is not even possible by the MyBB software without some kind of additional malicious code being added to it, or other code being placed on your server itself, to "use" MyBB, or some other legitimately installed software, to do that.

Someone, or thing, may have found a "back door" to your server or software and installed it. (Not entirely uncommon, BTW.) IMO, you should check/change your server or software security settings, password(s), etc. and look for any "unauthorized" access that allowed software installs/updates on your server(s).

Oh, here's a hint - DO NOT REMOVE THE "LOCK" FILE FROM YOUR FORUM'S INSTALL FOLDER! Without it, you are likely open to attacks!

Developers: If the above statement is "dangerous", please edit this post and remove it along with this statement. THX

I think it's time to close this thread and allow it to quietly die now, isn't it?

I applaud you.

I'm glad you also pointed out that we never even knew how the forum was attacked, despite me asking in most of my posts. It made his argument totally pointless. You wouldn't go and complain in a shop about a bad product but not tell them what was wrong with it, would you??

Te 8 spent 4 Hours, 45 Minutes, 23 Seconds online, arguing a case with no evidence. Yet he said he didn't have time to check for updates. It sure doesn't take me that long to check for an update. I check a few times a day, and it takes all of a few seconds.

Quote:Oh, here's a hint - DO NOT REMOVE THE "LOCK" FILE FROM YOUR FORUM'S INSTALL FOLDER! Without it, you are likely open to attacks!

Better yet...delete it or rename it something obscure like ashdfjasfhjkasf.

(2008-10-12, 05:09 PM)dcaduser Wrote: [ -> ]Funny, it seems TE 8's only problem here is that, for some reason, TE 8 was not aware of the latest release. And therefore, he was running an 'old' version of MyBB.

Being he has "clients" using this software, wouldn't it be his fault, and not MyBB's, that he was hacked due to his lack of diligent support, ensuring that the latest version of MyBB was installed for his "clients"?

Only once has my forum ever been "attacked", but it was by a spammer, and it was my fault for not applying the proper settings to prevent it from happening.

I can honestly say that, in my experience, MyBB is probably the most secure free forum software currently available and I trust that the MyBB team will keep it that way.

As an admin, or "service provider", it is their job to "keep-up" on software updates and install them ASAP. IT IS NOT, necessarily, the responsibility of the developers of any software to ensure that ALL USERS of said software receive notice of such updates. Simply by 'signing up' for such a service does not always guarantee you will be informed.

I am very happy with MyBB and I have never used any software that claimed to be the "FINAL VERSION" due to it being so perfectly written that it will never need another "fix" or "update" for the rest if its existence. Obviously, there is "abandoned" software that has become the "final version". However, MyBB is not one of them.

Interestingly, after reading all of this thread, what the actual attack was, we still don't know. Hmmm....
What we do know, is that he was not running the latest version. His fault, not MyBB's.

From the initial post:

Quote:...and only find out about the severe problems when I got complaints about my server hosting phishing scams. And every time the culprit is the same: MyBB.

I am no expert by any means, but I think not! It seems to me that "phishing" is not even possible by the MyBB software without some kind of additional malicious code being added to it, or other code being placed on your server itself, to "use" MyBB, or some other legitimately installed software, to do that.

Someone, or thing, may have found a "back door" to your server or software and installed it. (Not entirely uncommon, BTW.) IMO, you should check/change your server or software security settings, password(s), etc. and look for any "unauthorized" access that allowed software installs/updates on your server(s).

Oh, here's a hint - DO NOT REMOVE THE "LOCK" FILE FROM YOUR FORUM'S INSTALL FOLDER! Without it, you are likely open to attacks!

Developers: If the above statement is "dangerous", please edit this post and remove it along with this statement. THX

I think it's time to close this thread and allow it to quietly die now, isn't it?

Great post! And agree about closing it.

Thank you. Couldnt have said it better myself.

Now that MyBB is open source, I'd love to see a custom version made by TE8 that is 100% secure from day one, let's see how your "good programming principles" will help you.