MyBB Community Forums

Full Version: is this changed in 1.6
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
hello there,
as usual i was surfing for security issues on phpbb3 and mybb ( as u can understand that bcopz i shifted from phpbb3 recently due to this isue), i got the following thread:

http://www.phpbb.com/community/viewtopic...#p12785232 (point 3)

can any mybb team member explain... is this really a rsik or has been resolved in my 1.6

Just ignore those posts, there are no security problems in MyBB to date. They are all biased to make people use phpBB and not any competitor products.
Looking at the code an SID won't enable you to login as anybody, you need the loginkey for that which is stored in the users table. Not to mention the fact that this will only show your own SID, which you can see via the cookies anyway, so I'm not really sure what the problem is.
that means only users with proper powers can see this details , others won't??
i think those details can be viewed by anyone when there is a database crash.
It's not about powers; it'll happen whenever there's an error with this table to whoever is loading the page, but you can't see someone else's SID with this. If there is an error with the sessions table, the error will show your own SID, which you can see in your cookies anyway, it won't show anybody else's SID, and you can't login as anybody with just an SID. It's showing you a piece of information you already have access to, that you can't do anything with.
Basically, it's not a security issue and not anything that you need to worry about.
i wonder why people tell things like that when they really don't know exactly what it is... thanks for discussing this. Smile
I think the main point the guy at phpBB was trying to make was that your database prefix was displayed really Wink Though that doesn't really matter as 99% of people keep the default mybb_ one.
yes, i have changed prefix on my forum (so don't know if it really matters ??)
also as long as it is not showing db name and other details, it is fine i think, what ur say on this??
Pages: 1 2