I just went to my test forum here:
http://lulzimg.x10.bz/forum/ and guess what I saw? All the CSS and Javascript files have been deleted. I was so pissed when I saw that, but at the same time glad that it was only my test forum.
I began to think what might have happened to it, so I tried all hacking methods on it to see if someone might have accessed it, I tried XSS, RFI, then SQL injection and nothing worked. But i was sure someone got into my account and messed me up, so I ran Havij on it and guess what? The site is vulnerable to SQLi! I tried again and it said it's not. Then again and it said it is!
What the hell is going on? I thought MyBB 1.6.3 was supposed to be as secure as hell?!?!?!?!??!?!?!?!
Havij do produce a lot of false positives. You can't say, its really vulnerable, unless you sucessfully managed to inject it (atleast get database scheme from it). There is no vulnerability in latest version of MyBB.
Are you using any plugins?
And there are many ways to get into your Forum.
1) Through rooting, or gaining access to your server.
2) You might have been infected with keylogger, through which they might have got admin password.
Someway your headerinclude template got just deleted or modified, by a plugin or something. This happens to me sometimes on my localhost.
(2011-07-13, 03:40 PM)kavin Wrote: [ -> ]Havij do produce a lot of false positives. You can't say, its really vulnerable, unless you sucessfully managed to inject it (atleast get database scheme from it). There is no vulnerability in latest version of MyBB.
Are you using any plugins?
And there are many ways to get into your Forum.
1) Through rooting, or gaining access to your server.
2) You might have been infected with keylogger, through which they might have got admin password.
You may be right about Havij.
1)That is on a free host server, so could that be the problem? The admins of the hosting can get in and do whatever they like, but I don't think they'd do that. The only other way would be to access the cPanel.
2)I am not infected with anything 'cause I'm backed behind 2 firewalls, 2 anti-malware, and 1 anti-spyware. And they're powerful.
I wouldn't trust Havij. As far as I know, there currently aren't any known vulnerabilities in 1.6.3. Please do some research before posting a thread with title 'MyBB 1.6.3 SQL Injection Vulnerability
' that scares everyone to death.
I agree with destroyer. And can you provide a link on which you tried SQL injection?
see url
>lulz
son im disappoint
you deserve to get injected
(2011-07-13, 04:02 PM)Glas Wrote: [ -> ]see url
>lulz
son im disappoint
you deserve to get injected
What are you talking about? Because I put "lulz" in the URL?
The fact you're on free hosting doesn't help either TBQH.