Some guy who isn't staff managed to access our staff forum, it's not a permission error in MyBB itself, but I'm not sure what it is....
This is what the hacker said in a topic he made in the staff forum:
Quote:This is a mysql vunerability:
Quote:http://www.site.org/showthread.php?tid=1.../limit/**/[row],1),[+],1))=[char]--
im not shure how it can be exploiter, but it can.
Any ideas how to fix this?
Thanks.
Load of rubbish. Have you tried logging out, and using this to access a staff thread?? You just get a no permissions page. The tid is intval'd, it'll chop of all that crap at the end and just have the tid.
(2010-10-31, 11:16 AM)MattRogowski Wrote: [ -> ]Load of rubbish. Have you tried logging out, and using this to access a staff thread?? You just get a no permissions page. The tid is intval'd, it'll chop of all that crap at the end and just have the tid.
No idea how he got access....
Does he have proof that he's got something from your forum?
(2010-10-31, 01:08 PM)-AW- Wrote: [ -> ]Does he have proof that he's got something from your forum?
What?
He made a thread in the staff forum, he is a normal member with no extra permissions, I even tested it with a standard account.
I'm going to try this myself on my Support Forums for MillionCMS. I'll report back when we've done the above on a test user.
Nope, this bug is completely false, I get No Permission errors.
Turns out a staff member moved it...The logs were a little confusing as a lot of moving was done.