Do you think MyBB has too many security vulnerabilities?
Since installing it, my server has been hacked 3 times, every time because of MyBB. Nothing else on the server, not the scripts I write myself nor other software I use has these issues.
I was signed up to the mailing list which used to tell me when there was an update, and that kept me safe for a while. But for some reason unknown to me I received no such updates recently, and only find out about the severe problems when I got complaints about my server hosting phishing scams. And every time the culprit is the same: MyBB.
I know it's more vulnerable if your software can be freely downloaded from this website for the whole world to inspect your code, but still, if you simply follow basic security practices from the start surely this wouldn't happen?
I leave with a question: if I leave MyBB on my server, will there eventually be another way for malicious individuals to inject code or remotely execute a script on my server? How does it keep happening?
Well it's the server, surely??
And anyone can hack any forum software if they want, whether it's free or not, if they have the time and the resources.
(2008-10-06, 08:11 PM)Matt_ Wrote: [ -> ]Well it's the server, surely??
It's problems caused by MyBB security vulnerabilities that they later fix.
(2008-10-06, 08:11 PM)Matt_ Wrote: [ -> ]anyone can hack any forum software if they want, whether it's free or not, if they have the time and the resources.
They fix something in all these security updates, that suggests it was broken before. It's a lot harder to hack if all your inputs are sanitised and safe so code injection can't happen etc. Of course things might get through the cracks, but I don't think vBulletin has anything really major like this very often. At the most there might be a vulnerability for a user, but nothing that endangers your server.
Well they can't fix everything at once, it takes time to find problems and fix them... I doubt you could make a piece of forum software that was completely attack-proof. I doubt anyone can. And I used to go on a VB forum that was totally destroyed, forum and database, gone, because a group of people hacked it. If you make regular backups, if you are unlucky enough to get hacked, it isn't the end of the world.
(2008-10-06, 08:05 PM)Te 8 Wrote: [ -> ]I was signed up to the mailing list which used to tell me when there was an update, and that kept me safe for a while. But for some reason unknown to me I received no such updates recently, and only find out about the severe problems when I got complaints about my server hosting phishing scams. And every time the culprit is the same: MyBB.
So you were running not the latest version of MyBB? Best thing to do is check for updates in the ACP regularly and on the website.
I think I had one experience with a hacked mybb because I was using an old version for a few weeks before updating. Some code got screwed up and somebody uploaded a 100mb bin file to my hosting account and some other strange ad files.
I think it's crucial to update as soon as a new version is out because people can check what is changed in the new version and find the vulnerabilities much faster because they know what has changed.
Anyway, I'm sorry to hear that you have these kind of problems regularly(?).
Out of interest, what host do you use??
Did they change the mailing list then or stop using it? It used to tell me when I needed to upgrade. I don't have time to check all the time myself because I manage many servers and that isn't my day job either.
I just tried to subscribe to it and it says I'm already subscribed, but I received no email. I have unlimited storage and don't delete any emails, and I get such a small amount of spam (no real spam, just the occasional false positive) that I always read the spam folder too.
You can check if you are using the most recent version by clicking one button in the ACP, and it reminds you every 2 weeks to check.
Contact the Admin here regarding to the emails not getting through or try using a different email address, and if it was my forum having such problems, I'd be checking for upgrades/updates through the ACP very often!
Also if you get hacked again make sure they don't leave any scripts in any templates. There was a guy here the other week who had a huge great script in his index template, probably to get passwords or something.