What's New
Off Topix: Embrace the Unexpected in Every Discussion

Off Topix is a well established general discussion forum that originally opened to the public way back in 2009! We provide a laid back atmosphere and our members are down to earth. We have a ton of content and fresh stuff is constantly being added. We cover all sorts of topics, so there's bound to be something inside to pique your interest. We welcome anyone and everyone to register & become a member of our awesome community.

Recent hackings, who fault is it!?

Well I did some quick research, and I'm wondering if it could be possible that one of the SQL injection vulnerabilities fixed in MyBB 1.8.2 may have been used to brute force weak passwords. You can't easily brute force MyBB without a vulnerability because it limits login attempts, nor can you easily unhash a secure password, but SQL injection is a bit of a backdoor on its own to getting information about fields in the database while bypassing other security measures.

Not sure if this is how so many forums were recently hacked or not. If it is, it might explain why people have linked the hackings with weak passwords. Either way, it's good that the team has patched the issue. I'm very surprised at how many vulnerabilities were fixed in the latest version of MyBB.
 
Darth-Apple said:
Well I did some quick research, and I'm wondering if it could be possible that one of the SQL injection vulnerabilities fixed in MyBB 1.8.2 may have been used to brute force weak passwords. You can't easily brute force MyBB without a vulnerability because it limits login attempts, nor can you easily unhash a secure password, but SQL injection is a bit of a backdoor on its own to getting information about fields in the database while bypassing other security measures.

Not sure if this is how so many forums were recently hacked or not. If it is, it might explain why people have linked the hackings with weak passwords. Either way, it's good that the team has patched the issue. I'm very surprised at how many vulnerabilities were fixed in the latest version of MyBB.
Click to expand...

That's a possible scenario, albeit less likely. I feel like it is also likely that the hacker could have done a simple query like...

Code: 
UPDATE `mybb_users` SET `password` = 'hashed_password' WHERE `username` = 'admin_username'

... to grant access to an admin account.
 
I tried that on a test forum out of curiosity, but the SQL injection vulnerability is a little difficult to exploit because the query is complicated and the PHP/MySQLi driver doesn't support stacked queries with the default mysqli_query function that the MyBB uses. So, for example, using the following in the form field won't work:

Code: 
[hash value]' AND q.qid = '15'; UPDATE `mybb_users` SET `usergroup` = '4' WHERE `uid` = '2' --

For that reason, SQL injections for applications that use PHP and MySQLi are often a little trickier to implement because they generally rely on manipulating the query that already exists. Then again, the only time I ever try this stuff is on a test forum for the sake of curiosity, so I'm by no means an expert when it comes to this stuff. :P
 
Darth-Apple said:
I tried that on a test forum out of curiosity, but the SQL injection vulnerability is a little difficult to exploit because the query is complicated and the PHP/MySQLi driver doesn't support stacked queries with the default mysqli_query function that the MyBB uses. So, for example, using the following in the form field won't work:


Code: 
[hash value]' AND q.qid = '15'; UPDATE `mybb_users` SET `usergroup` = '4' WHERE `uid` = '2' --

For that reason, SQL injections for applications that use PHP and MySQLi are often a little trickier to implement because they generally rely on manipulating the query that already exists. Then again, the only time I ever try this stuff is on a test forum for the sake of curiosity, so I'm by no means an expert when it comes to this stuff. :P
Click to expand...

Interesting! Which version of the software was Off Topix and EUH's forum using when it was exploited? I'd like to try it out myself. Could it perhaps be a subquery?
 
1.6 isn't vulnerable to this particular SQL injection vulnerability. It's a vulnerability in the security questions feature that comes with MyBB 1.8, which was obviously not present in MyBB 1.6.x. :P

As for subqueries, I had tried that as well just out of interest. I could have done something wrong, but I don't think MySQL allows "update" subqueries in a select query. I'm not an expert on this though. :P
 
Well it was confirmed to me that my hacking was through a news plug-in.

But, if you add an Admin PIN and back up your database daily/nightly, the measures are not that bad if you do get "Shade and Spook'ed".
 
You should share the URL to the plugin that was vulnerable to warn other administrators. The team may add it to the vulnerable plugins list.
 
Paul.H of MyBB support is aware of the plug-in and I think he's on it.

I've noticed strange activity lately too, like on my forum people recovering passwords on Online List.
 
You must log in or register to reply here.

Similar threads

Webster
Meteorologists Facing Death Threats In Wake of Recent Hurricanes
Replies
2
Views
64
Daltonio
Daltonio
Webster
Biden Announces "Reforms" To Supreme Court in Wake of Recent Pro-Constitutional Decisions
Replies
0
Views
33
Webster
Webster
Webster
Liverpool Manager's Legacy Cemented Despite Recent Drop in Team's Performance
Replies
0
Views
104
Webster
Webster
Webster
Will Hardline Republicans Seek Revenge On Speaker Johnson For Recent Foreign Aid Bills?
Replies
18
Views
485
NeoMetallix
NeoMetallix
Olivia
Recent Tech, Net, Science, and Video Game Purchases
Replies
2
Views
957
Cory
Cory
Back
Top Bottom