Admin Security

This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:

• Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
• Prevent admins from getting the database password
• Hides non-forum related tables in the backup database page

Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).


For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.

[Pirata Nervo]

Haven't looked at the code yet but what do you mean by "Prevent admins from getting the database password", how do you prevent it?
I'm glad someone decided to "fix" the issue though, thanks for sharing!

[ZiNgA BuRgA]

Unset the password from the $mybb->config array.  It's not needed once the DB connection is actually made.

[Pirata Nervo]

Oh all right, I wonder why that's not part of the code though

[ZiNgA BuRgA]

Cause they're freaking stoopid.

[darkly]

lol at the 'WTFPLv2' license.

[Pirata Nervo]

Just seen the control_object function, did you code it? Or does it come with PHP? That's something I've been looking for, for ages!

[ZiNgA BuRgA]

Yes, I wrote that myself.  I've been using it for ages in plugins like PHP in Templates (just not explicitly done as a nice to use function).  There's no equivalent PHP function.

[Pirata Nervo]

Okay, would you mind if I used it for personal tests only?

[ZiNgA BuRgA]

You can use it as per the license