Admin Security

This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:

• Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
• Prevent admins from getting the database password
• Hides non-forum related tables in the backup database page

Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).


For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.

[ZiNgA BuRgA]

No, the edit just forces 'adminsec' into the active plugins list.
Note that I'm not sure if it will display correctly in the AdminCP -> Configuration -> Plugins section; it may appear to be disabled, but the effects of it being loaded will still exist.
The ideal solution would be to modify your installer to push this plugin into the active plugins cache, but I don't know your multi-forum script, so this should be suffice.

[Dave]

Hi Zenga,

Thats brilliant, many thanks for your help. One last questions!

Although it would be active despite showing as deactive in the plugin section, if an admin was to click "activate" - would that make any difference? It wouldnt have the reverse effect and deactivate it? Or because its coded in to be active, the activate/deactivate switch will have no effect.

Hope that makes sense!

[ZiNgA BuRgA]

If they go an activate it, it will just appear to be activated.  There's no difference otherwise.
This plugin cannot be deactivated unless they have permissions to edit the PHP file.

[Dave]

Superb.

Many thanks for your help

[Technoman]

(05-19-2010 09:29 PM)ZiNgA BuRgA Wrote:  Note that this plugin does not work on multi-DB server setups
(if you don't know what this is, you probably don't have one).

Ok after fixxing the first issue with your second recomended update I have tested this with multi forums now on 1 server, and whats happening now is once you click to see "view new posts"  or "subscribe" Internet Explorer cannot display the webpage ...this must be why its not intended for multi-Db servers? Can this be the problem and affecting it? Or can this something else interfering?

Thanks

[ZiNgA BuRgA]

(07-22-2010 09:08 AM)Technoman Wrote:  this must be why its not intended for multi-Db servers?

Multi-DB refers to if you are using MySQL replication or similar.
You probably aren't, so this shouldn't be your problem.

This plugin shouldn't be doing anything special for specific browsers, so if it's only IE in which it's happening, it's probably something else.

[Technoman]

(07-22-2010 06:13 PM)ZiNgA BuRgA Wrote:  

(07-22-2010 09:08 AM)Technoman Wrote:  this must be why its not intended for multi-Db servers?

Multi-DB refers to if you are using MySQL replication or similar.
You probably aren't, so this shouldn't be your problem.

This plugin shouldn't be doing anything special for specific browsers, so if it's only IE in which it's happening, it's probably something else.

its happening in FF and IE these are the only 2 I use

[ZiNgA BuRgA]

I suspect it may have something to do with the redirect pages (note, disabling these isn't necessarily a solution), and maybe the multi-forum script doing something a bit different with them.
I don't have the time to check, but it probably modifies the underlying database configuration, which may be causing it to break down.

I don't know what modifications it makes to DB configuration, but if the script is good, inc/config.php should be a redirect to the proper configuration file.

[Captain Pretender]

hi sorry to dig up an old thread...

is there no way to allow template editing and yet still preserve your db details

even with this activated the db username and dbname can be easily accessed

i was making a multiforum script that basically uploads and installs the board for users so template editing is a must

[ZiNgA BuRgA]

This plugin should be making it difficult, if not impossible, to access the DB password.
If you could say how one can view the DB password with this plugin installed, I would be able to look into it.

Thanks.