MyBB 0Day

Madderc · 02-18-2013, 05:56 PM

(02-18-2013, 10:29 AM)1llusion Wrote:
(02-18-2013, 03:49 AM)Madderc Wrote:
(02-18-2013, 12:19 AM)1llusion Wrote: I've made an article on my blog about the vuln. Read it here: http://blog.1llusion.info/2013/02/mybb-f...l-and.html

Wow thanks a lot, that really did explain most of it I think.

On a side note, what exactly does file uploading do? Does it mean people sharing stuff through the forum?

File upload is... well... file upload. It is a vulnerability through which somebody can upload some stuff on your server.

So that means that the file upload is a vulnerability?

My confusion was why would there be a file upload to a forum... but if it is activated for malicious purposes then I understand.

1llusion · 02-19-2013, 01:01 AM

(02-18-2013, 05:56 PM)Madderc Wrote:
(02-18-2013, 10:29 AM)1llusion Wrote:
(02-18-2013, 03:49 AM)Madderc Wrote:
(02-18-2013, 12:19 AM)1llusion Wrote: I've made an article on my blog about the vuln. Read it here: http://blog.1llusion.info/2013/02/mybb-f...l-and.html

Wow thanks a lot, that really did explain most of it I think.

On a side note, what exactly does file uploading do? Does it mean people sharing stuff through the forum?

File upload is... well... file upload. It is a vulnerability through which somebody can upload some stuff on your server.

So that means that the file upload is a vulnerability?

My confusion was why would there be a file upload to a forum... but if it is activated for malicious purposes then I understand.

Having a feature, where user can upload files to your server is dangerous and unless you know what you are doing, you shouldn't do it.
This is because you provide the attackers with a comfortable way to get their tools on your server. A lot of vulnerability scanners search for file uploads and flags them as a possible weak point. Avatar uploads on MyBB for example are quite secure, there are number of security measures that prevent uploading of malicious data.

The real question is, if somebody found a way around these security measures.

Madderc · 02-19-2013, 05:01 AM

(02-19-2013, 01:01 AM)1llusion Wrote:
(02-18-2013, 05:56 PM)Madderc Wrote:
(02-18-2013, 10:29 AM)1llusion Wrote:
(02-18-2013, 03:49 AM)Madderc Wrote:
(02-18-2013, 12:19 AM)1llusion Wrote: I've made an article on my blog about the vuln. Read it here: http://blog.1llusion.info/2013/02/mybb-f...l-and.html

Wow thanks a lot, that really did explain most of it I think.

On a side note, what exactly does file uploading do? Does it mean people sharing stuff through the forum?

File upload is... well... file upload. It is a vulnerability through which somebody can upload some stuff on your server.

So that means that the file upload is a vulnerability?

My confusion was why would there be a file upload to a forum... but if it is activated for malicious purposes then I understand.

Having a feature, where user can upload files to your server is dangerous and unless you know what you are doing, you shouldn't do it.
This is because you provide the attackers with a comfortable way to get their tools on your server. A lot of vulnerability scanners search for file uploads and flags them as a possible weak point. Avatar uploads on MyBB for example are quite secure, there are number of security measures that prevent uploading of malicious data.

The real question is, if somebody found a way around these security measures.

Thanks for the tip, will surely keep that in mind if I ever create a site or something like that, thanks a lot Wink

xevenofhearts · 02-19-2013, 05:15 AM

(02-18-2013, 12:19 AM)1llusion Wrote: I've made an article on my blog about the vuln. Read it here: http://blog.1llusion.info/2013/02/mybb-f...l-and.html

Thanks 1llusion. I was wondering what the hell the 0day was xD

craig1985 · 02-19-2013, 08:08 PM

I have noticed that the 0day has completely disappeared from 1337day so I think that answers all questions LOL

MyBB 0Day
Author Message