MyBB Community Forums
ProStats - is it secure? - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: MyBB 1.6 (https://community.mybb.com/forum-138.html)
+------ Forum: 1.6 Security Management and Support (https://community.mybb.com/forum-153.html)
+------ Thread: ProStats - is it secure? (/thread-147722.html)



ProStats - is it secure? - Paraadox - 2013-11-09

http://security-geeks.blogspot.co.uk/2013/03/mybb-plugin-pro-stat-sqli.html

Huh


RE: ProStats - is it secure? - Darth Apple - 2013-11-09

Prostats is only vulnerable from within the admin panel, since it does not sanitize user input on its configuration page. There are, from what I've heard, other similar vulnerabilities from within the admin panel for MyBB as well. They don't generally put your forum at significant risk because someone would need to gain access to your admin panel before they could exploit them.


RE: ProStats - is it secure? - Shade - 2013-11-09

While this though is generally correct, certain vulnerabilities are dangerous even in the ACP. Recently an user reported that his site was completely hacked and after some researches we pointed out that iShare was used as an injection vector by the hackers who, thanks to an unsanitized upload process, were able to upload a shell script and thus wipe out the entire user's site, not just his MyBB copy.

SQL Injections like this are not dangerous for your site because eventual attackers would have already had access to your admin panel, meaning that they would be able to cause worse damages, definitely.