Admin Security
Author Message
This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:
  • Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
  • Prevent admins from getting the database password
  • Hides non-forum related tables in the backup database page
Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).


For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.
(This post was last modified: 07-27-2011 07:11 PM by ZiNgA BuRgA.)
Find all posts by this user
Quote this message in a reply
Download: admsec.php (5.7 KB)
Plugin Version: 1.02
Last Updated: 07-01-2010, 10:56 AM

Downloads: 929
MyBB Compatibility: 1.4.x, 1.6.x
Plugin License: WTFPLv2
Uploader: ZiNgA BuRgA
Technoman Offline
Forum Idiot
Posts: 108
Joined: Jun 2010
Post: #21
RE: Admin Security
(06-24-2010 02:01 PM)ZacAttack Wrote:  I love this plugin but after about 10ish days it gave me this error:

Code:
Database: MySQL
SQL Error: 1045 - Access denied for user 'USERNAME'@'HOSTNAME' (using password: NO)
Query: [READ] Unable to connect to MySQL server

At first I didn't think it would be this plugin so I deactivated all plugins and changed databases. Nothing changed until i deactivated this plugin Ouch

Hopefully you can either figure out what went wrong and fix it so I can reactivate it Smile


I am geting this error now to, i think im going to delete this plug in for now cause it even gives it on the sitemap an 1045 error
(06-30-2010 09:05 AM)ZiNgA BuRgA Wrote:  So quick reply only?
I can't reproduce here, but looking through stuff, it may be possible that a dodgy (older) version of PHP is causing the issue.

Can you give this a try and tell me if it fixes it?
Thanks.

does this fix the sql 1045 errors im recieving ?
(This post was last modified: 07-05-2010 08:23 AM by Technoman.)
07-05-2010 08:21 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #22
RE: Admin Security
(07-05-2010 08:21 AM)Technoman Wrote:  does this fix the sql 1045 errors im recieving ?
I don't know, as I don't control your server.

Also, I don't know how the sitemap plugin works either.

My Blog
07-05-2010 11:38 AM
Find all posts by this user Quote this message in a reply
Technoman Offline
Forum Idiot
Posts: 108
Joined: Jun 2010
Post: #23
RE: Admin Security
im going to send you the url of  domain in private
07-05-2010 11:51 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #24
RE: Admin Security
As I said, I don't control your server.  Sending me an URL to an error message I already know about doesn't help me unfortunately.
Have you even bothered to try the update?  If so, and you don't mind, I would be grateful if you could supply me with FTP details so I can investigate the issue.

Thanks.

My Blog
07-05-2010 12:26 PM
Find all posts by this user Quote this message in a reply
Technoman Offline
Forum Idiot
Posts: 108
Joined: Jun 2010
Post: #25
RE: Admin Security
(07-05-2010 12:26 PM)ZiNgA BuRgA Wrote:  As I said, I don't control your server.  Sending me an URL to an error message I already know about doesn't help me unfortunately.
Have you even bothered to try the update?  If so, and you don't mind, I would be grateful if you could supply me with FTP details so I can investigate the issue.

Thanks.

Actually No I tried to disable the plugin from the ACP, question do I need to disable the plugin or just over write that last update you posted

Actually trying to disable this plugin it tells to delete a line of code, so what do i do to continue?
(This post was last modified: 07-05-2010 12:33 PM by Technoman.)
07-05-2010 12:28 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #26
RE: Admin Security
You can simply overwrite it with the new file.

My Blog
07-05-2010 12:58 PM
Find all posts by this user Quote this message in a reply
Technoman Offline
Forum Idiot
Posts: 108
Joined: Jun 2010
Post: #27
RE: Admin Security
(07-05-2010 12:58 PM)ZiNgA BuRgA Wrote:  You can simply overwrite it with the new file.

Yes thanks so very much !!!!!!!!!!!!!!!!!!!!!!

It worked bro ( i wanna hug you now ) muah Unlove muah
07-05-2010 01:15 PM
Find all posts by this user Quote this message in a reply
Dave Offline
Junior Member
**
Posts: 4
Joined: Jul 2010
Post: #28
RE: Admin Security
Hi,
Is there a way to have this active by default, rather then having to activate it?
(This post was last modified: 07-11-2010 06:31 AM by Dave.)
07-11-2010 06:23 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #29
RE: Admin Security
What do you mean by that?
Is this for a multi-forum script?  If so, you can probably just have the file there, and edit your inc/class_plugins.php
Find:

PHP Code:
$pluginlist = $cache->read("plugins");

Add below:

PHP Code:
$pluginlist['active'][] = 'adminsec';


Haven't looked at the mod, and haven't tested the above.


My Blog
07-11-2010 09:57 AM
Find all posts by this user Quote this message in a reply
Dave Offline
Junior Member
**
Posts: 4
Joined: Jul 2010
Post: #30
RE: Admin Security
Hi Zinga,

Yes, this is for the multi forums script,

The work around you posted, would that make all plugins active? If so, I was looking just to have this script active and not any of the others by default, if thats at all possible.
07-11-2010 07:33 PM
Find all posts by this user Quote this message in a reply


Forum Jump: