MyBB Tutorials

MyBB Security Tutorial and Guidelines

Submitted by Blowjob, , Thread ID: 631

Thread Closed

RE: MyBB Security Tutorial and Guidelines

OP
#11
03-02-2015, 01:46 AM
maloon Wrote:
Does SMF have a large plugin/theme repository? Mostly using it for a minecraft server, so just something pretty looking and easy to use works for me.

I dont know as i dont use it

RE: MyBB Security Tutorial and Guidelines

#12
Very helpful guide, thanks man

RE: MyBB Security Tutorial and Guidelines

OP
#13
03-02-2015, 02:46 AM
Falsey Wrote:
Very helpful guide, thanks man

fucking leecher :rly:

RE: MyBB Security Tutorial and Guidelines

#14
Great tut there. I actually learned something new. Smile

RE: MyBB Security Tutorial and Guidelines

This post was last modified: 17-02-2015, 09:30 PM by Akay
#15
For the 1.6 users out there, here is something you can patch (if you wanna :rlySmile;

Vuln: /search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=

Error:
Code:
Warning [2] mysqli_real_escape_string() expects parameter 2 to be string,
array given - Line: 874 - File: inc/db_mysqli.php PHP 5.4.19

-1~dotdeb.1 (Linux)

Edit search.php

And find the code
PHP Code:
$sid $db->escape_string($mybb->input['sid']); 

Replace it with
PHP Code:
if(is_array($mybb->input['sid']))
    
$sid $db->escape_string(implode($mybb->input['sid']));
    else
    
$sid $db->escape_string($mybb->input['sid']); 

Now save it.

Source: http://packetstormsecurity.com/files/125...ction.html

RE: MyBB Security Tutorial and Guidelines

#16
17-02-2015, 09:29 PM
Kewl Wrote:
For the 1.6 users out there, here is something you can patch (if you wanna :rlySmile;

Vuln: /search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=

Error:
Code:
Warning [2] mysqli_real_escape_string() expects parameter 2 to be string,
array given - Line: 874 - File: inc/db_mysqli.php PHP 5.4.19

-1~dotdeb.1 (Linux)

Edit search.php

And find the code

PHP Code:
$sid $db->escape_string($mybb->input['sid']); 

Replace it with

PHP Code:
if(is_array($mybb->input['sid']))
  
$sid $db->escape_string(implode($mybb->input['sid']));
  else
  
$sid $db->escape_string($mybb->input['sid']); 

Now save it.

Source: http://packetstormsecurity.com/files/125...ction.html

This is fixed already in the newer versions (1.6.3+), right?
http://blog.mybb.com/2011/04/17/mybb-1-6...ty-update/

RE: MyBB Security Tutorial and Guidelines

#17
18-02-2015, 12:43 PM
Coxetamine Wrote:
17-02-2015, 09:29 PM
Kewl Wrote:
For the 1.6 users out there, here is something you can patch (if you wanna :rlySmile;

Vuln: /search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=

Error:
Code:
Warning [2] mysqli_real_escape_string() expects parameter 2 to be string,
array given - Line: 874 - File: inc/db_mysqli.php PHP 5.4.19

-1~dotdeb.1 (Linux)

Edit search.php

And find the code

PHP Code:
$sid $db->escape_string($mybb->input['sid']); 

Replace it with

PHP Code:
if(is_array($mybb->input['sid']))
  
$sid $db->escape_string(implode($mybb->input['sid']));
  else
  
$sid $db->escape_string($mybb->input['sid']); 

Now save it.

Source: http://packetstormsecurity.com/files/125...ction.html

This is fixed already in the newer versions (1.6.3+), right?
http://blog.mybb.com/2011/04/17/mybb-1-6...ty-update/

It even exist on 1.6.16 version, so nope.

Users browsing this thread: 5 Guest(s)