Website Hosting for Just 20 ForumCoin ~ Advertise on ForumCoin
52 Life Tips Banner
Webmaster forum. Website development, design & management. Graphic design. Blog / Forum Set-up, Management, Admin & News

Important MyBB Security Information!

Postby CyberFreak » 16 Nov 2014, 12:47

Just came across this which may affect you if you run a MyBB forum - http://blog.mybb.com/2014/11/15/github- ... ompromised

Hello,



Yesterday, 14th of November, my (Pirata Nervo) GitHub account was compromised. By taking advantage of that, the attacker made a commit to our GH pages, more specifically one which is retrieved by the MyBB software in order to process version checks. Unfortunately, the attack allowed the attacker to setup Database backups of any MyBB forum, without exception, via JavaScript.

In order for you to know if you were attacked, you must have accessed the Admin CP of your forum from 14th November 23:00 GMT to 15th November 15:30 GMT. If you accessed your AdminCP during this timespan, it is likely that you were attacked.

To be sure about it, please log on to your AdminCP now and check your Database Backup Logs from ACP -> Tools & Maintenance -> Database Backups. If the creation date of at least one of them is set to a time between that time span mentioned above, you were affected. We strongly recommend you to alert your users about it so they can change their passwords.



What you have to do: (in case you were attacked)

Alert your users to change password.
Change your password.
Clear your cookies.


I’ve already enabled 2 Factor Authentication on my GitHub account and changed my password. I deeply apologize for this event for it was never my intention to cause any harm to anyone but it should be my responsibility to keep my account as secure as possible.



My apologies,

Pirata Nervo


Judging from this topic, if you accessed the ACP during that time, it made a backup of the usertable and uploaded it to a remote server - http://community.mybb.com/thread-162862.html
MyBB grabs data from mybb.com, trusts it and prints it out without checks or escapes. That allowed JavaScript to be inserted. Said JavaScript made your browser download your mybb_users table and upload it to a remote site.


Just a heads up!
  • 2

User avatar
CyberFreak
Tech Admin
 
Posts: 4,170
Location: UK
Referrals: 32
ForumCoin: 45,431

Re: Important MyBB Security Information!

Postby scarface » 16 Nov 2014, 16:44

Thank you for sharing this with us, almost all of us are on mybb, and most of us are already hacked in the last few days. But lets hope it doesnt continue.
  • 0

Image
scarface
 
Posts: 325
ForumCoin: 69

Re: Important MyBB Security Information!

Postby jacktheking » 17 Nov 2014, 00:50

Hmm.. I am not using MyBB for my game. There's no need to worry.

However, I'm not sure.. will it affect MyBB which is only available to me? Well, I have a copy of MyBB in my Wamp server. Well, I dont think they could hack into my Localhost, could they?
  • 0

Image
jacktheking
MMO Site Owner
MMO Site Owner
 
Posts: 985
ForumCoin: 162

Re: Important MyBB Security Information!

Postby CyberFreak » 17 Nov 2014, 10:07

It was done through the version check in the acp andrunning javascript in your browser so i would imagine it would affect your localhost installation.
  • 0

User avatar
CyberFreak
Tech Admin
 
Posts: 4,170
Location: UK
Referrals: 32
ForumCoin: 45,431

Re: Important MyBB Security Information!

Postby shamzblueworld » 18 Nov 2014, 09:50

Thanks for sharing Fowler, I just checked and I was not affected by this, gladly.
  • 0

User avatar
shamzblueworld
 
Posts: 2,936
ForumCoin: 274

Re: Important MyBB Security Information!

Postby CyberFreak » 21 Nov 2014, 20:31

That is good to hear... Anyone using MyBB should update to MyBB 1.8.3 or MyBB 1.6.16. Aswell as the usual bunch of security fixes, there is a fix to prevent this happening again.
  • 0

User avatar
CyberFreak
Tech Admin
 
Posts: 4,170
Location: UK
Referrals: 32
ForumCoin: 45,431

Re: Important MyBB Security Information!

Postby shamzblueworld » 22 Nov 2014, 04:21

CyberFreak wrote:That is good to hear... Anyone using MyBB should update to MyBB 1.8.3 or MyBB 1.6.16. Aswell as the usual bunch of security fixes, there is a fix to prevent this happening again.

This is very annoying now, another update already. They should make the updates automatic then, manual updates take time and I just updated to 1.8.2 a couple of days ago and another update now.
That's why I love WordPress :)
  • 0

User avatar
shamzblueworld
 
Posts: 2,936
ForumCoin: 274

Re: Important MyBB Security Information!

Postby CyberFreak » 27 Nov 2014, 15:11

While Wordpress's auto updates do help to ensure that security issues are patched quickly, it can lead to other issues such as this - https://forums.stablehost.com/index.php ... #post-1697

Imagine if someone malicious gets access to push a malicious update out and loads of boards will update very quickly to that new version without the admin even knowing.

Personally I have little faith in MyBB's security so I wouldn't trust auto updates from them.
  • 0

User avatar
CyberFreak
Tech Admin
 
Posts: 4,170
Location: UK
Referrals: 32
ForumCoin: 45,431

Re: Important MyBB Security Information!

Postby yashrajkarthikey2 » 27 Dec 2014, 13:44

CyberFreak wrote:That is good to hear... Anyone using MyBB should update to MyBB 1.8.3 or MyBB 1.6.16. Aswell as the usual bunch of security fixes, there is a fix to prevent this happening again.
I agree with CyberFreak... Updating it may reduce the risk and vulnerabilities..from your side, one can only do this nothing more..
  • 0

yashrajkarthikey2
 
Posts: 450
Location: India
Referrals: 2
ForumCoin: 9



Your Ad Here.

Return to Webmaster Questions, Discussion & News



Who is online

Users browsing this forum: Claude [Bot] and 0 guests

Reputation System ©'