[tc4me]

Hy Darth Hy folks, the forum was hacked once by an insecure plugin, which one was that? mydropzone plugin or?
Why I ask, strangely enough, are the previously paid plugins offered for free

MyDropzone
Symposium
ENdless
Drafts Autosafe
Default Message

lg Tc4me

[s3_gunzel]

If I recall it was the Hovercard plugin

[tc4me]

Okay Thank You

[Darth-Apple]

Yes, hovercards was the plugin that got us. There was another one that was vulnerable as well. I don’t remember exactly which one it was (I’ll look back through the messages and get back to you). They were notified multiple times when it was discovered.

Update: It was the drafts auto save plugin. Checked back today, still does not appear to have been patched. Sent another message to the MyBB team about it today.

[tc4me]

oh, take a look at 
hovercards https://community.mybb.com/mods.php?acti...d&pid=1441
and here 
Drafts Auto Save https://community.mybb.com/mods.php?acti...d&pid=1438

[Darth-Apple]

I just made them aware again, they will probably address it shortly. Don’t install the drafts auto save yet. Hovercards has already been patched.

MyDropZone and Symposium are safe too I believe. I audited those a while back. Not sure about any of the other ones, haven’t audited all of them yet.

[tc4me]

ok Thank you, I'll keep waiting before I try, thank you
yes Ben throws out one plugin after the other, is he in a good mood or bored?

[Darth-Apple]

Did some digging and research on this one. The plugin is no longer vulnerable. It turns out it was evidently patched at some point as a fly-by-night thing, with absolutely no change to the version, date, or timestamp. No idea when exactly it was patched, it was done at some point after this August with no mention of it publicly.

[tc4me]

That’s already very good, thank you Darth-Apple for your commitment,