Admin Security
Author Message
This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:
  • Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
  • Prevent admins from getting the database password
  • Hides non-forum related tables in the backup database page
Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).


For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.
(This post was last modified: 07-27-2011 07:11 PM by ZiNgA BuRgA.)
Find all posts by this user
Quote this message in a reply
Download: admsec.php (5.7 KB)
Plugin Version: 1.02
Last Updated: 07-01-2010, 10:56 AM

Downloads: 929
MyBB Compatibility: 1.4.x, 1.6.x
Plugin License: WTFPLv2
Uploader: ZiNgA BuRgA
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #31
RE: Admin Security
No, the edit just forces 'adminsec' into the active plugins list.
Note that I'm not sure if it will display correctly in the AdminCP -> Configuration -> Plugins section; it may appear to be disabled, but the effects of it being loaded will still exist.
The ideal solution would be to modify your installer to push this plugin into the active plugins cache, but I don't know your multi-forum script, so this should be suffice.

My Blog
(This post was last modified: 07-11-2010 07:43 PM by ZiNgA BuRgA.)
07-11-2010 07:40 PM
Find all posts by this user Quote this message in a reply
Dave Offline
Junior Member
**
Posts: 4
Joined: Jul 2010
Post: #32
RE: Admin Security
Hi Zenga,

Thats brilliant, many thanks for your help. One last questions!

Although it would be active despite showing as deactive in the plugin section, if an admin was to click "activate" - would that make any difference? It wouldnt have the reverse effect and deactivate it? Or because its coded in to be active, the activate/deactivate switch will have no effect.

Hope that makes sense!
07-11-2010 08:35 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #33
RE: Admin Security
If they go an activate it, it will just appear to be activated.  There's no difference otherwise.
This plugin cannot be deactivated unless they have permissions to edit the PHP file.

My Blog
07-11-2010 09:05 PM
Find all posts by this user Quote this message in a reply
Dave Offline
Junior Member
**
Posts: 4
Joined: Jul 2010
Post: #34
RE: Admin Security
Superb.

Many thanks for your help Smile
07-11-2010 09:09 PM
Find all posts by this user Quote this message in a reply
Technoman Offline
Forum Idiot
Posts: 108
Joined: Jun 2010
Post: #35
RE: Admin Security
(05-19-2010 09:29 PM)ZiNgA BuRgA Wrote:  Note that this plugin does not work on multi-DB server setups
(if you don't know what this is, you probably don't have one).

Ok after fixxing the first issue with your second recomended update I have tested this with multi forums now on 1 server, and whats happening now is once you click to see "view new posts"  or "subscribe" Internet Explorer cannot display the webpage ...this must be why its not intended for multi-Db servers? Can this be the problem and affecting it? Or can this something else interfering?

Thanks
07-22-2010 09:08 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #36
RE: Admin Security
(07-22-2010 09:08 AM)Technoman Wrote:  this must be why its not intended for multi-Db servers?
Multi-DB refers to if you are using MySQL replication or similar.
You probably aren't, so this shouldn't be your problem.

This plugin shouldn't be doing anything special for specific browsers, so if it's only IE in which it's happening, it's probably something else.

My Blog
07-22-2010 06:13 PM
Find all posts by this user Quote this message in a reply
Technoman Offline
Forum Idiot
Posts: 108
Joined: Jun 2010
Post: #37
RE: Admin Security
(07-22-2010 06:13 PM)ZiNgA BuRgA Wrote:  
(07-22-2010 09:08 AM)Technoman Wrote:  this must be why its not intended for multi-Db servers?
Multi-DB refers to if you are using MySQL replication or similar.
You probably aren't, so this shouldn't be your problem.

This plugin shouldn't be doing anything special for specific browsers, so if it's only IE in which it's happening, it's probably something else.

its happening in FF and IE these are the only 2 I use
07-22-2010 06:59 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #38
RE: Admin Security
I suspect it may have something to do with the redirect pages (note, disabling these isn't necessarily a solution), and maybe the multi-forum script doing something a bit different with them.
I don't have the time to check, but it probably modifies the underlying database configuration, which may be causing it to break down.

I don't know what modifications it makes to DB configuration, but if the script is good, inc/config.php should be a redirect to the proper configuration file.

My Blog
07-22-2010 07:49 PM
Find all posts by this user Quote this message in a reply
Captain Pretender Offline
Junior Member
**
Posts: 5
Joined: Aug 2010
Post: #39
RE: Admin Security
hi sorry to dig up an old thread...

is there no way to allow template editing and yet still preserve your db details

even with this activated the db username and dbname can be easily accessed

i was making a multiforum script that basically uploads and installs the board for users so template editing is a must
08-19-2010 06:43 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #40
RE: Admin Security
This plugin should be making it difficult, if not impossible, to access the DB password.
If you could say how one can view the DB password with this plugin installed, I would be able to look into it.

Thanks.

My Blog
08-19-2010 07:31 AM
Find all posts by this user Quote this message in a reply


Forum Jump: