MyBB Community Forums

Hi,

I'm inviting the team at myBB to have a completely unfettered and free hand to roam around my forum because I believe that either there is a security flaw in myBB (unlikely?) or that someone external to me and my site has gained access and "banned" me as admin, but not actually banned as I can still get into ACP. It would appears that a false page has been created to give the appearance of banning.

Clearly I don't want to put too many details here for public view, so if the team at myBB want to have a look they may do so. PM me. It might be that if there is enough evidence of external tampering that I might complain to the police, but because the site is low-value, it might not warrant that kind of attention.

The only known way of getting into MyBB would be to hack your host's database server and change it there. We don't know of any current security vulnerabilities.

Probably a plugin, another software, or another admin set your display group to banned to mess with you.

Can other people check if they create a spare admin account and ban it by IP address, that account will be banned but still able to access the ACP?

If you ban someone by IP then that IP cannot access your forum full stop.

Yes, I understand the theory of it.

All I'm asking is that someone tests it please?

Is that to much too ask? Just a quick check?

---

Okay, guys, despite the rudeness of the email I got from you - I have proved that a banned account still gets into the ACP.

I have done a fresh install of myBB.

goto:

www.langley.me.uk

username = new_admin
pw = knock2

it will tell you you have been banned - but you can still get into the ACP.

I won't be using myBB now or in the future - because you have proved you don't listen to your users.

I realise that my IP is not the same as yours - but I banned myself and was able to get into the ACP.

You will be able to create yourself an admin account, ban your IP address and see that you get in.

I shall leave this test up til tomorrow.

I banned all IP addresses - I can still get in.

---

Several of my friends have told me they can see the ban and still get into the acp.

I cannot believe the arrogance of your email to me and of the post above.

You have a security flaw.

Don't rush to say thank you much less apologise guys - you've shown yourselves up anyway.

What I want to know is can old Admin accounts still get access to the acp?
How do I modify the database to prevent old admin accounts gaining access to the acp?

I'm sure you won't want to help me after I have highlighted your rudeness - but I'll be
shifting from this poor piece of forum software quick-sharp.

(2010-08-15, 04:06 PM)kevinhannan Wrote: [ -> ]Okay, guys, despite the rudeness of the email I got from you

I won't be using myBB now or in the future - because you have proved you don't listen to your users.

I realise that my IP is not the same as yours - but I banned myself and was able to get into the ACP.

I cannot believe the arrogance of your email to me and of the post above.

You have a security flaw.

Don't rush to say thank you much less apologise guys - you've shown yourselves up anyway.

I'm sure you won't want to help me after I have highlighted your rudeness - but I'll be
shifting from this poor piece of forum software quick-sharp.

No idea where anyone was rude but you're misunderstanding what an IP ban does. It bans you from the forum, not the ACP. There's a ban there for * so that blocks all access to the forum but not the ACP. If it blocked you from the ACP, a rouge admin could put that in and lock everybody out. It's not there to lock people out of the ACP, that's not the point of it.

(2010-08-15, 04:06 PM)kevinhannan Wrote: [ -> ]What I want to know is can old Admin accounts still get access to the acp?
How do I modify the database to prevent old admin accounts gaining access to the acp?

If they're not in a group that can access the ACP, it just loads the login screen whenever they try and login...

Thank you for your reply.

The rudeness was in a personal email. but that's by-the-by.

Quote:
"you're misunderstanding what an IP ban does. It bans you from the forum, not the ACP. There's a ban there for * so that blocks all access to the forum but not the ACP. If it blocked you from the ACP, a rouge admin could put that in and lock everybody out. It's not there to lock people out of the ACP, that's not the point of it."

The point of a ban is exactly that - as the guy Polarbear said in an earlier post - it locks you out. As it happens I have a rogue ex-admin who can do what he wants.

Surely common sense must previal here? A ban is a ban - not access to ACP! Come on!

People can only login to the ACP if you've given them ACP access. The IP ban stops you from accessing the forum. I'm not really sure what the problem is.

then your train must have derailed - I'm over this thread.