Admin Security
Author Message
This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:
  • Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
  • Prevent admins from getting the database password
  • Hides non-forum related tables in the backup database page
Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).


For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.
(This post was last modified: 07-27-2011 07:11 PM by ZiNgA BuRgA.)
Find all posts by this user
Quote this message in a reply
Download: admsec.php (5.7 KB)
Plugin Version: 1.02
Last Updated: 07-01-2010, 10:56 AM

Downloads: 1,256
MyBB Compatibility: 1.4.x, 1.6.x
Plugin License: WTFPLv2
Uploader: ZiNgA BuRgA
Pirata Nervo Offline
Member
***
Posts: 235
Joined: Jan 2008
Post: #11
RE: Admin Security
Oh yeah I forgot that you're using the WTFPL license now Tongue
05-22-2010 09:03 PM
Find all posts by this user Quote this message in a reply
Firefox Wins Offline
Member
***
Posts: 164
Joined: Mar 2008
Post: #12
RE: Admin Security
WTF this looks pretty good. 50star.GIF
I didn't know the admin section was so messed up. Will MyBB get better priorities any time soon?  Slap
05-23-2010 02:03 PM
Find all posts by this user Quote this message in a reply
Imran Offline
Member
***
Posts: 204
Joined: Apr 2010
Post: #13
RE: Admin Security
Magnificent release..

[Image: logo.png]

[Image: twitter.png]
05-24-2010 04:22 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Taz112768 Offline
Junior Member
**
Posts: 2
Joined: May 2010
Post: #14
RE: Admin Security
thanks i see
(This post was last modified: 06-01-2010 09:46 PM by Taz112768.)
06-01-2010 09:44 PM
Find all posts by this user Quote this message in a reply
ZacAttack Offline
Junior Member
**
Posts: 1
Joined: Jun 2010
Post: #15
RE: Admin Security
I love this plugin but after about 10ish days it gave me this error:

Code:
Database: MySQL
SQL Error: 1045 - Access denied for user 'USERNAME'@'HOSTNAME' (using password: NO)
Query: [READ] Unable to connect to MySQL server

At first I didn't think it would be this plugin so I deactivated all plugins and changed databases. Nothing changed until i deactivated this plugin Ouch

Hopefully you can either figure out what went wrong and fix it so I can reactivate it Smile

(This post was last modified: 06-24-2010 02:01 PM by ZacAttack.)
06-24-2010 02:01 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #16
RE: Admin Security
I guess it's possible that there's a conflict with some other modification.  Are you able to do a clean install and replicate the issue?  If so, please provide a step-by-step guide on how to do so.
You can also try seeing if this is unique to your environment by downloading a DB backup with your forum's files and running from localhost.

If you can't provide a step-by-step guide, I might be able to trace things down if you either supply me with FTP/admin details or a DB backup with your forum's files.

Hope that helps, and thanks.

My Blog
06-24-2010 04:18 PM
Find all posts by this user Quote this message in a reply
Shemo Offline
Member
***
Posts: 184
Joined: Jan 2008
Post: #17
RE: Admin Security
(06-24-2010 04:18 PM)ZiNgA BuRgA Wrote:  I guess it's possible that there's a conflict with some other modification.  Are you able to do a clean install and replicate the issue?  If so, please provide a step-by-step guide on how to do so.
You can also try seeing if this is unique to your environment by downloading a DB backup with your forum's files and running from localhost.

If you can't provide a step-by-step guide, I might be able to trace things down if you either supply me with FTP/admin details or a DB backup with your forum's files.

Hope that helps, and thanks.

looks like a few people have reported problems with this plugin including myself.

please see these threads-
http://community.mybb.com/thread-72296.html
http://community.mybb.com/thread-72591.html
06-30-2010 07:37 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #18
RE: Admin Security
So quick reply only?
I can't reproduce here, but looking through stuff, it may be possible that a dodgy (older) version of PHP is causing the issue.

Can you give this a try and tell me if it fixes it?
Thanks.


Attached File(s)
.php  admsec.php (Size: 5.7 KB / Downloads: 548)

My Blog
06-30-2010 09:05 AM
Find all posts by this user Quote this message in a reply
Shemo Offline
Member
***
Posts: 184
Joined: Jan 2008
Post: #19
RE: Admin Security
(06-30-2010 09:05 AM)ZiNgA BuRgA Wrote:  So quick reply only?
I can't reproduce here, but looking through stuff, it may be possible that a dodgy (older) version of PHP is causing the issue.

Can you give this a try and tell me if it fixes it?
Thanks.

looks fine as far as I can see for now.  will let you know if I run into any more problems.
07-01-2010 09:43 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #20
RE: Admin Security
Thanks Shemo.

My Blog
07-01-2010 10:56 AM
Find all posts by this user Quote this message in a reply


Forum Jump: