Admin Security
Author Message
This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:
  • Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
  • Prevent admins from getting the database password
  • Hides non-forum related tables in the backup database page
Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).

For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.
(This post was last modified: 07-27-2011 07:11 PM by ZiNgA BuRgA.)
Find all posts by this user
Quote this message in a reply
Download: admsec.php (5.7 KB)
Plugin Version: 1.02
Last Updated: 07-01-2010, 10:56 AM

Downloads: 972
MyBB Compatibility: 1.4.x, 1.6.x
Plugin License: WTFPLv2
Uploader: ZiNgA BuRgA
ZiNgA BuRgA Offline
Posts: 3,355
Joined: Jan 2008
Post: #51
RE: Admin Security
(06-25-2020 09:36 PM)WINBOY Wrote:  Should it will be helpful to install in mybb 1.8.22...I don't know much more about securities in this version.

Is it easy to get database username and password?
MyBB has incorporated this plugin's functionality as mentioned at the top of the page, so there's not much point, and I'm not supporting it on newer versions of MyBB.
Although I think it's still possible to retrieve database credentials as their filter doesn't seem to exclude $mybb->settings['database']

My Blog
(This post was last modified: 02-28-2021 08:53 PM by ZiNgA BuRgA.)
02-28-2021 08:53 PM
Find all posts by this user Quote this message in a reply

Forum Jump: