Thread Rating:
  • 2 Vote(s) - 1 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Solved: 10 Years, 8 Months, 2 Weeks ago BIG EXPLOIT IN MYBB 1.6 BE AWARE
#1
Solved: 10 Years, 8 Months, 2 Weeks ago
Hi,

If I could get contacted by one of the software owners here. my site is hacked today and it' s because of mybb 1.6

I wont tell too much, but normal registered members can get admin access and they kicked me out of the forum ( i have a backup of yesterday though)

but also major forums can be hacked easily because of this. it's a 0day exploit and just started like 48 hours ago



David
No one that will be able to fix this LARGE bug? I also found how to do it, and I want MyBB to fix it. It's a major securty risk and I would like everyone to close their forums running on 1.6 ATM!
#2
Solved: 10 Years, 8 Months, 2 Weeks ago
I don't think 1.6 has any exploits, or else the largest hacking forum to ever exist wouldn't use it.

However, I will try and get the lead developer to take alook,.
Former MyBB Software Assurance Team
Server Latch Ltd - Premium Shared, Reseller and VPS Hosting for your MyBB Forum!
#3
Solved: 10 Years, 8 Months, 2 Weeks ago
You're telling us to look out for an exploit that you haven't provided any information on? I see..
#4
Solved: 10 Years, 8 Months, 2 Weeks ago
Well, I can get this to work on another forum and I tested it.

Otherwise how could it be that I'm the only administrator, I saw 8 people online, 2 registering and both got admin status.

Then I found a article about it on a site with a lot of exploits to see if it's public. And it is.

I can show you the site that has the article on it.

I just want you guys to believe me and make this software more secure for big boards using it ATM. Also it's a 0day exploit meaning it's only been in use for 1 day

Edit:

Most big boards chance their directory of the admin panel. The exploit only works when you know what directory it is.
So that's why big boards are secure ATM.

And if anyone knows about the exploit: if I'll chance the directory, would then everything will be alright again?
#5
Solved: 10 Years, 8 Months, 2 Weeks ago
Hello,

I have informed all staff regarding this as a precaution and you should receive a PM shortly from a member of our developement team, and they can confirm or reject this possible exploit.

Thanks for reporting this.

--Conor
Former MyBB Software Assurance Team
Server Latch Ltd - Premium Shared, Reseller and VPS Hosting for your MyBB Forum!
#6
Solved: 10 Years, 8 Months, 2 Weeks ago
PM me a POC if you're legitimately telling the truth.

Otherwise you're just playing smoke and mirrors.


Forum Jump:


Users browsing this thread: 1 Guest(s)