Admin Security

This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:

• Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
• Prevent admins from getting the database password
• Hides non-forum related tables in the backup database page

Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).


For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.

[ZiNgA BuRgA]

(06-25-2020 09:36 PM)WINBOY Wrote:  Should it will be helpful to install in mybb 1.8.22...I don't know much more about securities in this version.

Is it easy to get database username and password?

MyBB has incorporated this plugin's functionality as mentioned at the top of the page, so there's not much point, and I'm not supporting it on newer versions of MyBB.
Although I think it's still possible to retrieve database credentials as their filter doesn't seem to exclude $mybb->settings['database']