Admin Security
Author Message
This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:
  • Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
  • Prevent admins from getting the database password
  • Hides non-forum related tables in the backup database page
Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).


For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.
(This post was last modified: 07-27-2011 07:11 PM by ZiNgA BuRgA.)
Find all posts by this user
Quote this message in a reply
Download: admsec.php (5.7 KB)
Plugin Version: 1.02
Last Updated: 07-01-2010, 10:56 AM

Downloads: 938
MyBB Compatibility: 1.4.x, 1.6.x
Plugin License: WTFPLv2
Uploader: ZiNgA BuRgA
Captain Pretender Offline
Junior Member
**
Posts: 5
Joined: Aug 2010
Post: #41
RE: Admin Security
is there any way to completely hide the dbname/dbusername like the password is hidden

cause i do not want to disable the template system like all other hosts
08-19-2010 01:18 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #42
RE: Admin Security
(08-19-2010 07:31 AM)ZiNgA BuRgA Wrote:  This plugin should be making it difficult, if not impossible, to access the DB password.
If you could say how one can view the DB password with this plugin installed, I would be able to look into it.

Thanks.

My Blog
08-19-2010 01:39 PM
Find all posts by this user Quote this message in a reply
Captain Pretender Offline
Junior Member
**
Posts: 5
Joined: Aug 2010
Post: #43
RE: Admin Security
sorry if i was unclear

the password IS hidden

but the dbname and dbusername are still accessible...quite simply in fact

Code:
Header Template
host:{$config['database']['hostname']}<br/>
DB:{$config['database']['database']}<br/>
User:{$config['database']['username']}<br/>


is this a secure enough situation ...if it is then i apologize for not understanding

08-19-2010 01:48 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #44
RE: Admin Security
Yes, hostname/username is accessible and I don't see anything anyone could usefully do with it without a password. (that's the entire purpose of a password)

My Blog
(This post was last modified: 08-19-2010 01:56 PM by ZiNgA BuRgA.)
08-19-2010 01:55 PM
Find all posts by this user Quote this message in a reply
Imran Offline
Member
***
Posts: 204
Joined: Apr 2010
Post: #45
RE: Admin Security
Extra ordinary !
Thanks Yumi !

[Image: logo.png]

[Image: twitter.png]
08-26-2010 10:38 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Captain Pretender Offline
Junior Member
**
Posts: 5
Joined: Aug 2010
Post: #46
RE: Admin Security

PHP Code:
1
2
3
4
5
6
function admsec_rm_db_pass() {
	$GLOBALS['mybb']->config['database']['backup_type'] = $GLOBALS['mybb']->config['database']['type'];
	unset($GLOBALS['mybb']->config['database']['password'], $GLOBALS['mybb']->config['database']['type'], $GLOBALS['mybb']->config['database']['username'], $GLOBALS['mybb']->config['database']['database']);
	// unsetting the DB type forces run_shutdown to reload the config
	// TODO: unset for multi-connection setups
}


i added a small bit of code that unsets the username and dbname also

are there any side effects to that

08-30-2010 04:48 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,340
Joined: Jan 2008
Post: #47
RE: Admin Security
Probably not.  Use it if you don't notice anything going wrong.
If you're wondering why I don't do it, it's because I try to minimize the number of changes I make, to reduce the potential number of conflicts which may occur by other modifications, or changes in the MyBB script in the future.  I deem unsetting those unnecessary, so I don't do it.

Do note that, despite what you may think, it doesn't really improve security, assuming you're using a reasonable password.  At best, it's merely obscurity.

My Blog
08-30-2010 05:37 PM
Find all posts by this user Quote this message in a reply
Captain Pretender Offline
Junior Member
**
Posts: 5
Joined: Aug 2010
Post: #48
RE: Admin Security
thanks
08-30-2010 06:02 PM
Find all posts by this user Quote this message in a reply
xxvirusxx Offline
Junior Member
**
Posts: 1
Joined: Feb 2011
Post: #49
RE: Admin Security
thx
02-12-2011 10:11 PM
Find all posts by this user Quote this message in a reply
WINBOY Offline
Member
***
Posts: 69
Joined: Nov 2012
Post: #50
RE: Admin Security
Should it will be helpful to install in mybb 1.8.22...I don't know much more about securities in this version.

Is it easy to get database username and password?
Thank you.
(This post was last modified: 06-25-2020 09:41 PM by WINBOY.)
06-25-2020 09:36 PM
Find all posts by this user Quote this message in a reply


Forum Jump: