MyBB Community Forums
Random people on my forum get admin - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: MyBB 1.6 (https://community.mybb.com/forum-138.html)
+------ Forum: 1.6 Security Management and Support (https://community.mybb.com/forum-153.html)
+------ Thread: Random people on my forum get admin (/thread-149509.html)

Pages: 1 2


Random people on my forum get admin - CrankedCEO - 2014-01-01

Somethings is wrong here random people on my forum just keep getting admin. Like one guy is online and boom he is admin out of no where and then the same thing happens a second later is this a rat or injection? I can't understand please help...

Plugins

1-http://gyazo.com/798b3abddc4d3d4bab17c44c2ecc697b
2-http://gyazo.com/30f57c1aad54f4afae453aeddfdb7c5b


RE: Random people on my forum get admin - kote2012 - 2014-01-02

disable your mytabs and profile comments


RE: Random people on my forum get admin - Destroy666 - 2014-01-02

(2014-01-02, 08:41 AM)kote2012 Wrote: disable your mytabs and profile comments

How are these plugins connected to the mentioned admin problem? I read they cause it 1st time. Could you specify which codes in them are responsible for this?


RE: Random people on my forum get admin - Deathbeam - 2014-01-02

MyTabs was reported to be SQL injection vulnerable, so maybe this is that case.


RE: Random people on my forum get admin - Erikbe - 2014-01-04

(2014-01-02, 12:31 PM)Destroy666 Wrote: How are these plugins connected to the mentioned admin problem? I read they cause it 1st time. Could you specify which codes in them are responsible for this?

Because one of them is known to have a SQL injection security hole meaning anybody can run SQL queries on your database.Also mods.mybb.com should be the only place you trust in getting plugins and even then always check plugin code ....


RE: Random people on my forum get admin - Destroy666 - 2014-01-04

@2 guys up, maybe reading text on the screenshot carefully before posting would be a better idea than providing invalid information... He uses version 1.32 of MyTabs, the vulnerability is reported here http://community.mybb.com/thread-133659.html in version 1.31. I don't think further explantation is needed, is it?

Also Profile Comments isn't even there..


RE: Random people on my forum get admin - CrankedCEO - 2014-01-04

I did have profile comments but a lot of people are saying it was my sql injection because of MyTabs.


RE: Random people on my forum get admin - v3nd3tta - 2014-01-06

It wasn't the plugins, the SQL was in your register page. I told MyBB a few versions back and they still haven't listened and even the latest version is still vuln.


RE: Random people on my forum get admin - Josh H. - 2014-01-06

(2014-01-06, 10:49 PM)v3nd3tta Wrote: It wasn't the plugins, the SQL was in your register page. I told MyBB a few versions back and they still haven't listened and even the latest version is still vuln.

Could you give me info on a POC in a PM? I'm curious as to what you're talking about.


RE: Random people on my forum get admin - dcaduser - 2014-01-07

It seems to me that a simple mod or plugin could be created to block anyone that attempts to register with ONLY the words "china" & "thanks" in the location and bio fields, respectively.

In essence, never allowing that registration to be processed and therefore flushing any trace of that registration attempt from the DB after automatically adding that IP address to the 'Banned IP address list'.

After-all, that's been the common factor on my forums regarding the recently reported 'spam' infiltrations. And not all of them post stuff. Most just register without posting anything. But it seems they ARE looking for a "Security hole" to breach. And they've already circumvented the "Required Custom Questions" feature. Not Good!