MyBB Development Blog

Welcome to the MyBB Development Blog. Here you'll find updates relating to the development of future versions of MyBB as well as technical discussions, tips, tricks and modifications to help you get the most out of MyBB.

Plugin Exploits (Being reported as MyBB 1.6.5 Exploits)

By Dylan M. | Published January 13th, 2012 | General, Security | Rating: 1 Star2 Stars3 Stars4 Stars5 Stars Loading ... Loading ...

Hello everyone,

We’d like to inform you that two security holes were found in two plugins which are very common on multiple MyBB forums out there. The affected plugins are the following:

[ SEO ] Simple Tag Cloud Plugin (Tags) by Watt
FBConnect (not available on our Mods site) by Nayar

The first was unapproved and a PM was sent to the plugin author and until the author fixes the issue it will remain unapproved on the Mods site.
The second has been updated already and the issue has been fixed. If you’re looking for the fixed version, it is available on the author’s website as well as on the MyBB community forums here.

We strongly advise you to remove the first plugin entirely from your forum and either remove the second one or install the fixed version.
We also recommend you to do the necessary searching for any data that may have been compromised.

On a side note, numerous “exploiting scripts” have been spreading throughout the internet which refer to these two vulnerabilities as if they were vulnerabilities in MyBB itself and that is not true.

Thank you,
MyBB Team

Comments

  1. 1.

    Aaron (January 13th, 2012, 8:50 am)

    I use neither but it’s good you guys are finding things like this before it becomes too late.

  2. 2.

    GamerVoid (January 13th, 2012, 11:25 am)

    I don’t have either – so yay for me!

  3. 3.

    kavin (January 13th, 2012, 1:43 pm)

    I hate when people blame MyBB team, while the vulnerability is with their plugins or their server itself.

    Explanation from MyBB team like this, will make them understand its not MyBB which has the issue.

  4. 4.

    FBI (January 14th, 2012, 1:34 am)

    It’s warning for MyBB staff to be selected when approving a mods ;)
    Thanks for reported, Now this subject become Google.. “MyBB 1.6.5 Plugins Exploit”

  5. 5.

    Adula-Kun (January 14th, 2012, 4:31 am)

    Thanks, good job :)

  6. 6.

    Staff Response: StefanT (January 14th, 2012, 6:35 pm)

    @FBI: It is just impossible to check several plugins every day, some have hundreds lines of code.

  7. 7.

    Stoffer (January 16th, 2012, 8:56 pm)

    Well spotted team. A word in Nayar’s favour: He sent me an email with a link to the update of his Facebook Connect plugin, along with instructions as to how to update it, as soon as he found out about the exploit.
    This is a plugin that I’m very happy with and adds the ability for users to register via FB, something I feel is necessary with MyBB in light of the social age with live in and with people being members of various forums.
    Thanks again for the updates team.

  8. 8.

    Jazza (February 7th, 2012, 12:20 pm)

    I’m very impressed the staff are announcing plugin vulnerabilities. It makes me so glad I started using MyBB a few years ago to this day.

    I haven’t updated the FBConnect plugin to Nayar’s latest version, I just fixed it myself. The issue was that the plugin accepted the user’s Facebook name and username without cleaning it of HTML. This was exploited by people signing up (using a bot) and entering a malicious script as their name. When their name is displayed on the forum, the script is run, and the website *appears* to be hacked.

    I recommend you update to the latest version of FBConnect or for a quick fix, just use php’s strip tags function to strip all HTML and PHP tags from names.

Post a Comment

Note: * indicates required fields.