Quick Login   
 
Register AdminFusion Tutorials Post Fusion Forum Matrix
 
Go Back AdminFusion » Software & Tech » Software » Other Software » [MyBB News] Regarding the "Debug mode, change users password" Vulnerability
Reply
 
LinkBack
Old 03-30-2007, 01:40 AM   #1
Forum Guru
 
Join Date: Sep 2005
Posts: 8,309
Industry News is on a distinguished road
Post [MyBB News] Regarding the "Debug mode, change users password" Vulnerability

Hi,

It has come to our attention that users have discovered what they believe to be a vulnerability in MyBB with the lost password functionality and debug mode.

We want to make it clear this is not a vulnerability in MyBB and has hugely been miss-reported and identified by "HACKERS PAL" the group who "discovered it".

The supposed vulnerability states that using the MyBB debug mode users can see the challenge code we save in the database for password resets and this can then be used to change the password of a user.

Lets look at the facts:
  • The ?debug=1 mode parameter is only available to Administrators who can also change the password of a user using the Admin CP.
  • If for some reason debug mode is publicly accessible and someone does manage retrieve an activation key, it will just reset the password of the user and MyBB will email them a new one - the person attempting this "exploit" would not be able to specify a new password for the user or see the newly generated one.
  • The debug mode is a list of queries. If this were a true exploit it could be stated that the debug mode also allows you to see things such as registered email addresses being checked in the back end, login keys, encrypted passwords and password salts.
We're treating this vulnerability as bogus due to the above reasons.

If for some reason you do have the debug mode functionality accessible to the public (either by a code modification yourself or someone else) then we recommend you disable it.

More...
Industry News is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

 
Posting Rules

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Site User Feedback shellspeare Handling Problem Members 2 03-09-2006 07:34 PM

AdminFusion

All times are GMT +1. The time now is 07:07 PM. Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0

© 2009 AdminFusion | Advertising Opportunities | Legal | A member of the Crowdgather Forum Community
 
From:
Title:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77