We’d like to inform you that two security holes were found in two plugins which are very common on multiple MyBB forums out there. The affected plugins are the following:
[ SEO ] Simple Tag Cloud Plugin (Tags) by Watt
FBConnect (not available on our Mods site) by Nayar
The first was unapproved and a PM was sent to the plugin author and until the author fixes the issue it will remain unapproved on the Mods site.
The second has been updated already and the issue has been fixed. If you’re looking for the fixed version, it is available on the author’s website as well as on the MyBB community forums here.
We strongly advise you to remove the first plugin entirely from your forum and either remove the second one or install the fixed version.
We also recommend you to do the necessary searching for any data that may have been compromised.
On a side note, numerous “exploiting scripts” have been spreading throughout the internet which refer to these two vulnerabilities as if they were vulnerabilities in MyBB itself and that is not true.
I use neither but it’s good you guys are finding things like this before it becomes too late.
I don’t have either – so yay for me!
I hate when people blame MyBB team, while the vulnerability is with their plugins or their server itself.
Explanation from MyBB team like this, will make them understand its not MyBB which has the issue.
It’s warning for MyBB staff to be selected when approving a mods 😉
Thanks for reported, Now this subject become Google.. “MyBB 1.6.5 Plugins Exploit”
Thanks, good job 🙂
@FBI: It is just impossible to check several plugins every day, some have hundreds lines of code.
Well spotted team. A word in Nayar’s favour: He sent me an email with a link to the update of his Facebook Connect plugin, along with instructions as to how to update it, as soon as he found out about the exploit.
This is a plugin that I’m very happy with and adds the ability for users to register via FB, something I feel is necessary with MyBB in light of the social age with live in and with people being members of various forums.
Thanks again for the updates team.
I’m very impressed the staff are announcing plugin vulnerabilities. It makes me so glad I started using MyBB a few years ago to this day.
I haven’t updated the FBConnect plugin to Nayar’s latest version, I just fixed it myself. The issue was that the plugin accepted the user’s Facebook name and username without cleaning it of HTML. This was exploited by people signing up (using a bot) and entering a malicious script as their name. When their name is displayed on the forum, the script is run, and the website *appears* to be hacked.
I recommend you update to the latest version of FBConnect or for a quick fix, just use php’s strip tags function to strip all HTML and PHP tags from names.
Thanks, good job