2010-03-18, 12:05 AM
Maybe the focus shouldn't be on securing the software for knowledgable and experienced admins and make the software more secure for new admins who want an easy forum system to use.
2010-03-18, 12:05 AM
2010-03-18, 12:18 AM
Quote:Reporting a security issue to MyBB is actually hard work
I have reported, had fixed, and a release update within 2 hours of reporting a critical security risk. Not sure what you reported but if it's not critical such as this it's going to be ignored. What you're reporting is very low risk and it has more to do with trust of your staff than MyBB.
I think this thread is ridiculous.
Quote:Works since PHP 5.
Technically MyBB is not php5 compatible yet on a number of fronts. People constantly report issues related to php5.
2010-03-18, 01:10 AM
I reported issues that let me hack sites I had no affiliation with.
I'm not a designer, yet I have one theme available as verified download in the MyBB mods database. Why do you think that is? Do you know there's not a backdoor in there? No, you don't. Naturally, there isn't. But to be sure you have to actually double check everything, can't trust anything, just because someone deemed something completely unnecessary to be too low of a risk to be fixworthy.
I'm not a designer, yet I have one theme available as verified download in the MyBB mods database. Why do you think that is? Do you know there's not a backdoor in there? No, you don't. Naturally, there isn't. But to be sure you have to actually double check everything, can't trust anything, just because someone deemed something completely unnecessary to be too low of a risk to be fixworthy.
2010-03-18, 01:21 AM
It looks like the MyBB staff won't budge on fixing this possible exploits in the code itself but maybe somebody can release some code edits that we can perform ourselves to plug these vulnerabilities on our boards?
In an age where social engineering is at it's peak I don't accept common sense as a plausible security method.
In an age where social engineering is at it's peak I don't accept common sense as a plausible security method.
2010-03-18, 01:21 AM
Quote:But to be sure you have to actually double check everything, can't trust anything,
Exactly why your original security report is low risk. It requires you to trust blindly another admin.
2010-03-18, 01:24 AM
But couldn't these exploits be in custom themes also?
2010-03-18, 02:23 AM
(2010-03-18, 01:21 AM)labrocca Wrote: [ -> ]To reiterate, there are different levels of trust. Why are there moderators and administrators? Do you trust your moderators? If so, why aren't they administrators? Heck, why don't you give them FTP access to the server as well?Quote:But to be sure you have to actually double check everything, can't trust anything,
Exactly why your original security report is low risk. It requires you to trust blindly another admin.
2010-03-18, 03:26 AM
Exactly. Admins should basically be top tiered trusted members and if you want just make sure admins don't have template edit access if you can't trust them.
If you have a rogue admin that wants to screw you over...he'll find a way to do it. With or without exploits like this.
If you have a rogue admin that wants to screw you over...he'll find a way to do it. With or without exploits like this.
2010-03-18, 03:35 AM
Coming into this and reading the entire thread, this whole thing looks like a matter of people not using good judgment to me. Is common sense a security feature? Not the kind you sell, but it certainly seems to be able to secure a lot of things if you use it...
Honestly, if you can't trust your staff not to use/abuse powers available to them that they have no need of, maybe you should reconsider having them as your staff. Why not just give them all full access to everything then? Simple - unnecessary risks.
Risking that the person designing/redesigning the site could redesign it in a way which damages it = necessary
Risking that your moderator will set it up so you can't use the ACP despite the fact you're only asking them to moderate the boards = unnecessary
So are these unnecessary risks too? Maybe... but shouldn't you choose people you trust not to destroy your forum as admins, not ones you question that of? If you aren't sure they won't damage your forum/site, then you'd need to limit more than just backups and template edits - what about all those plugins, settings, warning levels, banned IPs, etc? I can think of a number of malicious acts that could be done with them too...
As for the risk of someone not associated with the forum being able to gain access or do harm...yep, they can. Good reason to be careful where you get themes, plugins, and modifications from, isn't it? Just seems to mean it's smart to make sure the person you're getting these things from is trustworthy.
Honestly, if you can't trust your staff not to use/abuse powers available to them that they have no need of, maybe you should reconsider having them as your staff. Why not just give them all full access to everything then? Simple - unnecessary risks.
Risking that the person designing/redesigning the site could redesign it in a way which damages it = necessary
Risking that your moderator will set it up so you can't use the ACP despite the fact you're only asking them to moderate the boards = unnecessary
So are these unnecessary risks too? Maybe... but shouldn't you choose people you trust not to destroy your forum as admins, not ones you question that of? If you aren't sure they won't damage your forum/site, then you'd need to limit more than just backups and template edits - what about all those plugins, settings, warning levels, banned IPs, etc? I can think of a number of malicious acts that could be done with them too...
As for the risk of someone not associated with the forum being able to gain access or do harm...yep, they can. Good reason to be careful where you get themes, plugins, and modifications from, isn't it? Just seems to mean it's smart to make sure the person you're getting these things from is trustworthy.
2010-03-18, 03:57 AM
(2010-03-18, 03:26 AM)labrocca Wrote: [ -> ]Exactly. Admins should basically be top tiered trusted membersYes, members. Not people who execute PHP code.
(2010-03-18, 03:26 AM)labrocca Wrote: [ -> ]and if you want just make sure admins don't have template edit access if you can't trust them.Of course, but do you expect the average MyBB administrator would know this?
(2010-03-18, 03:26 AM)labrocca Wrote: [ -> ]If you have a rogue admin that wants to screw you over...he'll find a way to do it. With or without exploits like this.Really? They can delete your forum, mess up users etc, but by making someone admin, I know they can do this.
Now what about messing up another forum hosted on the same server? I certainly didn't give them administrator access for that... Without such an exploit as this (and any other exploit), please explain to me how a rouge admin would mess up another script on the server.
Either case, here's a plugin which hopefully does this. I haven't tested it extensively, and it's not really the nicest solution. Also doesn't handle cases if multiple database servers are supplied.