why or by which plugin Mybb hacked?

why or by which plugin Mybb hacked? - Printable Version

+- Makestation (https://makestation.net)
+-- Forum: Technical Arts (https://makestation.net/forumdisplay.php?fid=45)
+--- Forum: Web Design & Internet (https://makestation.net/forumdisplay.php?fid=62)
+---- Forum: MyBB Related (https://makestation.net/forumdisplay.php?fid=120)
+---- Thread: why or by which plugin Mybb hacked? (/showthread.php?tid=3407)

why or by which plugin Mybb hacked? - tc4me - February 18th, 2021

Hy Darth Hy folks, the forum was hacked once by an insecure plugin, which one was that? mydropzone plugin or?
Why I ask, strangely enough, are the previously paid plugins offered for free

MyDropzone
Symposium
ENdless
Drafts Autosafe
Default Message

lg Tc4me

RE: why or by which plugin Mybb hacked? - s3_gunzel - February 18th, 2021

If I recall it was the Hovercard plugin

RE: why or by which plugin Mybb hacked? - tc4me - February 18th, 2021

Okay Thank You

RE: why or by which plugin Mybb hacked? - Darth-Apple - February 18th, 2021

Yes, hovercards was the plugin that got us. There was another one that was vulnerable as well. I don’t remember exactly which one it was (I’ll look back through the messages and get back to you). They were notified multiple times when it was discovered.

Update: It was the drafts auto save plugin. Checked back today, still does not appear to have been patched. Sent another message to the MyBB team about it today.

RE: why or by which plugin Mybb hacked? - tc4me - February 18th, 2021

oh, take a look at
hovercards https://community.mybb.com/mods.php?action=download&pid=1441
and here
Drafts Auto Save https://community.mybb.com/mods.php?action=download&pid=1438

Angry

RE: why or by which plugin Mybb hacked? - Darth-Apple - February 18th, 2021

I just made them aware again, they will probably address it shortly. Don’t install the drafts auto save yet. Hovercards has already been patched.

MyDropZone and Symposium are safe too I believe. I audited those a while back. Not sure about any of the other ones, haven’t audited all of them yet.

RE: why or by which plugin Mybb hacked? - tc4me - February 18th, 2021

ok Thank you, I'll keep waiting before I try, thank you
yes Ben throws out one plugin after the other, is he in a good mood or bored?

RE: why or by which plugin Mybb hacked? - Darth-Apple - February 18th, 2021

Did some digging and research on this one. The plugin is no longer vulnerable. It turns out it was evidently patched at some point as a fly-by-night thing, with absolutely no change to the version, date, or timestamp. No idea when exactly it was patched, it was done at some point after this August with no mention of it publicly.

RE: why or by which plugin Mybb hacked? - tc4me - February 19th, 2021

That’s already very good, thank you Darth-Apple for your commitment,