I apolegize for jumping into this thread that's a bit old. I saw it and found it interesting. I would like to ask what some of the basic steps are for making sure your board is secure? If possible maybe even some more advanced methods. I hadn't ever heard about removing the backups.php page before, that's an example. Any more good ideas for security?
Dont let anyone you dont trust with your forum have an administrator account.
Don't let anyone you don't trust with your entire server have an administrator account in MyBB.
Unfortunately this security issue is not directed towards forum owners, forum providers are the real target.
(2010-05-28, 01:13 PM)Pirata Nervo Wrote: [ -> ]And @Ryan Gordon, you said in this thread:
http://community.mybb.com/thread-70096.html
That:
"You've had plenty of time to make suggestions before we went into beta."
Well, this thread was made before going beta..
As I stated before if you can give me a working, non-buggy, non-half-assed solution that doesn't require a huge rewrite of code, then I'll be happy to implement it.
But I'm not going to implement a solution that isn't good. A good solution is to rewrite the template system completely which will come in 2.0, but I have yet to see any other good solutions from anyone.
Did you see Yumi's code? Doesn't seem to require a huge re-write of code.
(2010-05-28, 04:10 PM)Ryan Gordon Wrote: [ -> ]As I stated before if you can give me a working, non-buggy, non-half-assed solution that doesn't require a huge rewrite of code, then I'll be happy to implement it.
The catch being that you decide what a working, non-buggy, non-half-assed solution is. Let's not send people on a wild goose chase here - lack of solution never was the problem.
The solution is most trivial and outlined in the first post. Any developer who deserves the title can use this information to come up with a fix within the hour. It's pretty much a one-liner, and a no-brainer. Whether it meets your "non-half-assed" criteria is another matter entirely, not to mention a completely artificial one.
When I notified you of this issue in February, you told me literally that "it's just stupid crap". You decided that it's not a vulnerability, and that it's not going to be fixed. You're the "lead developer", so it was your call to make.
The result is that there are people out there, running and possibly even actively promoting your forum software, to whom this issue is a real threat, because you decided to keep it so.
(2010-05-28, 07:40 PM)frostschutz Wrote: [ -> ] (2010-05-28, 04:10 PM)Ryan Gordon Wrote: [ -> ]As I stated before if you can give me a working, non-buggy, non-half-assed solution that doesn't require a huge rewrite of code, then I'll be happy to implement it.
The catch being that you decide what a working, non-buggy, non-half-assed solution is. Let's not send people on a wild goose chase here - lack of solution never was the problem.
The solution is most trivial and outlined in the first post. Any developer who deserves the title can use this information to come up with a fix within the hour. It's pretty much a one-liner, and a no-brainer. Whether it meets your "non-half-assed" criteria is another matter entirely, not to mention a completely artificial one.
When I notified you of this issue in February, you told me literally that "it's just stupid crap". You decided that it's not a vulnerability, and that it's not going to be fixed. You're the "lead developer", so it was your call to make.
The result is that there are people out there, running and possibly even actively promoting your forum software, to whom this issue is a real threat, because you decided to keep it so.
That is correct. it can be used by malicious people to install Mybb and cause havoc in the servers. This should be fixed a.s.a.p. but the attitude of the Lead Developer leads a lot to be desired with those kind of arrogant answers.
that_guy, I'd not have commented in any other thread, but I think you're an idiot. Last anyone needs is an immature git like you to jump on the train here.
/thread