Hello,
today I recognized that there seems to be a security bug in my MyBB Version 1.2.9. Please see here:
http://www.scirocco-forum.de/showthread....14#pid9114
Does anybody know if there's a security update to prevent this spam? Please let me know if you need any more details about my configuration.
Thank you for your help!
Chris
Since 1.2.9 there were 5 updates to MyBB 1.2, 1.2.10 through to 1.2.14. There have also been 5 releases of MyBB 1.4, 1.4.0 through to 1.4.4. If you want to stay on 1.2, at least upgrade to 1.2.14, but upgrading to 1.4.4 is recommended.
People should only really be running either 1.4.4 or 1.2.14 at this point for their own benefit.
Many thanks for your fast replies!
Ok, I updated to 1.2.14. Unfortunately the Spam in this thread is still there. Where can I remove it? Do I have to access the DB directly?
it looks like you put that there,
just edit the theme template
No, I did not put it there.
Here's the showthread template:
Quote:<html>
<head>
<title>{$thread['subject']}</title>
{$headerinclude}
<script type="text/javascript">
var quickdelete_confirm = "{$lang->quickdelete_confirm}";
</script>
<script type="text/javascript" src="jscripts/thread.js?ver=121"></script>
</head>
<body>
{$header}
{$pollbox}
<div style="float: right; padding-bottom: 4px;">
{$newreply}{$newthread}
</div>
{$multipage}
<table border="0" cellspacing="{$theme['borderwidth']}" cellpadding="{$theme['tablespace']}" class="tborder" style="clear: both;">
<tr>
<td class="thead" colspan="2">
<div style="float: right;">
<span class="smalltext"><strong><a href="showthread.php?mode=threaded&tid={$tid}&pid={$pid}#pid{$pid}">{$lang->threaded}</a> | <a href="showthread.php?mode=linear&tid={$tid}&pid={$pid}#pid{$pid}">{$lang->linear}</a></strong></span>
</div>
<div>
<strong>{$rating} {$thread['subject']}</strong>
</div>
</td>
</tr>
<tr>
<td class="tcat" width="15%"><span class="smalltext"><strong>{$lang->author}</strong></span></td>
<td class="tcat" width="85%"><span class="smalltext"><strong>{$lang->message}</strong></span></td>
</tr>
{$posts}
{$threadpages}
<tr>
<td colspan="2" class="tfoot">
<div><strong>« <a href="showthread.php?tid={$tid}&action=nextoldest">{$lang->next_oldest}</a> | <a href="showthread.php?tid={$tid}&action=nextnewest">{$lang->next_newest}</a> »</strong></div>
</td>
</tr>
</table>
<div style="padding-top: 4px;">
{$newreply}{$newthread}
</div>
{$threadexbox}
{$quickreply}
{$moderationoptions}
{$similarthreads}
<br />
<table border="0" cellspacing="{$theme['borderwidth']}" cellpadding="{$theme['tablespace']}" class="tborder" style="clear: both;">
<tr>
<td class="trow1">
<table width="100%">
<tr>
<td>
<span class="smalltext">
<a href="printthread.php?tid={$tid}">{$lang->view_printable}</a><br />
<a href="sendthread.php?tid={$tid}">{$lang->send_thread}</a><br />
<a href="usercp2.php?action=addsubscription&tid={$tid}">{$lang->subscribe_thread}</a> | <a href="usercp2.php?action=addfavorite&tid={$tid}">{$lang->add_favorites}</a>
</span>
</td>
<td align="right">
{$ratethread}
<br />
{$forumjump}
</td>
</tr>
</table>
</td>
</tr>
</table>
{$footer}
</body>
</html>
The spam seems to be located at {$header} because it's located right after the <body> tag in the html code. But the header template seems not to be "infected".
Furthermore this is the only thread where the spam appears! It also appears only on the first site of this thread.
Ok, correction: the spam is shown in all threads, but not visible in most of them. And it is always different. So it should not be the template?
Being in that location it would actually probably be the headerinclude template but as to why it's only on that thread... that's a bit odd. This is in the source:
<script type="text/javascript">
function showBanner() {
var fid = "9";
div = document.getElementById('banner');
if (fid.length > 0) {
div.src = "http://www.scirocco-forum.de/ads/adrotator.php?fid="+fid;
} else {
div.src = "http://www.scirocco-forum.de/ads/adrotator.php";
}
}
</script>
Yes, right, the banner script is in the source. But I included this to show the banner.
With regard to the spam in only one thread, I corrected myself. Please see above. Thanks.
(2009-02-28, 09:56 AM)Mattalan Wrote: [ -> ]Being in that location it would actually probably be the headerinclude template but as to why it's only on that thread... that's a bit odd. This is in the source:
<script type="text/javascript">
function showBanner() {
var fid = "9";
div = document.getElementById('banner');
if (fid.length > 0) {
div.src = "http://www.scirocco-forum.de/ads/adrotator.php?fid="+fid;
} else {
div.src = "http://www.scirocco-forum.de/ads/adrotator.php";
}
}
</script>
Here's the headerinclude:
Quote:<link rel="alternate" type="application/rss+xml" title="{$lang->latest_threads} (RSS 2.0)" href="{$mybb->settings['bburl']}/syndication.php" />
<link rel="alternate" type="application/atom+xml" title="{$lang->latest_threads} (Atom 1.0)" href="{$mybb->settings['bburl']}/syndication.php?type=atom1.0" />
<meta http-equiv="Content-Type" content="text/html; charset={$charset}" />
<script type="text/javascript" src="{$mybb->settings['bburl']}/jscripts/prototype.lite.js?ver=121"></script>
<script type="text/javascript" src="{$mybb->settings['bburl']}/jscripts/moo.ajax.js?ver=121"></script>
<script type="text/javascript" src="{$mybb->settings['bburl']}/jscripts/general.js?ver=121"></script>
<script type="text/javascript" src="{$mybb->settings['bburl']}/jscripts/popup_menu.js?ver=121"></script>
<link rel="stylesheet" type="text/css" href="{$theme['css_url']}" />
<link rel="shortcut icon" href="http://www.scirocco-forum.de/favicon.ico">
<meta name="verify-v1" content="uhhEvbQGFz2NvckJgY4pzYJo4q0BkfxYSi31lKW2GUo=" />
<script language="Javascript" type="text/javascript">
<!--
var cookieDomain = "{$mybb->settings['cookiedomain']}";
var cookiePath = "{$mybb->settings['cookiepath']}";
var newpm_prompt = "{$lang->newpm_prompt}";
var deleteevent_confirm = "{$lang->deleteevent_confirm}";
var removeattach_confirm = "{$lang->removeattach_confirm}";
var loading_text = '{$lang->ajax_loading}';
var saving_changes = '{$lang->saving_changes}';
// -->
</script>
<meta name="description" content="VW Scirocco 3 III Forum - Die Community zum neuen VW Scirocco." />
<meta name="keywords" content="Sciroccoforum, Scirocco forum, VWScirocco Forum, Scirocco3forum, Scirocco3 forum, VWScirocco3 Forum, VWScirocco3 Forum, Scirocco 3 forum, Scirocco 3 forum, VWScirocco 3 Forum, Scirocco, Scirocco3, Scirocco 3, Scirocco III, Scirocco08, Scirocco 08, Scirocco2008, Scirocco 2008, Scirocco GT24, SciroccoGT24, Scirocco R, SciroccoR, Forum, Iroc, IROC, VWIroc, neu, neuer, 2008, VW Scirocco, VWScirocco, scirocco bestellen, mission scirocco, rennversion, News, Board, Community, Interessengemeinschaft, IG, Diskussionen, Hilfe, Tips, Tipps, Tricks, FAQ, Testbericht, Testberichte, Autotest, Online, Mitglied werden, Iroc-Forum, Irocforum, Iroc Forum, VW, Iroc Club, Irocclub, Scirocco Club, Sciroccoclub, Tuning, Teile, Rückleuchten, 1.4, 1.8 T, GT, 1.8, 2.0 TFSI, TFSI, 2.0 FSI, FSI, Turbo, V6, TDI, CR, R32, R 32, R36, R 36, R-Line, Corrado, Scirocco, Nachfolger, G-Lader, G60, VR6, 20, 2.0, 16V, Cupra, Cupra R" />
<style type="text/css">
body {
background-color: rgb(215, 215, 215);
font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif;
font-size: 13px;
color: Black;
margin-top: 0px;
margin-left: 0px;
margin-right: 0px;
}
a {
text-decoration: none;
color: #0066FF;
}
a:hover {
color: red;
}
td {
font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif;
color: #000000;
}
</style>
{$newpmmsg}
Ok, when I post a new thread the spam is not shown there:
http://www.scirocco-forum.de/showthread.php?tid=705
I also recognized that the spam is also located in the forums itself.
There's a new problem: Since the update it is not possible to move, delete, etc. threads any more. Does anybody have an idea?
After some time the spam also appeared in the new threads. Very strange...