Double dot (..) between file name and extension

Discussion in 'MyBB Discussions' started by pixelek, Jun 9, 2014.

  1. pixelek

    pixelek Regular Member

    Joined:
    Oct 9, 2013
    Messages:
    229
    Likes Received:
    85
    Location:
    Torun, Poland
    Hi,

    as a warming to every admin forum here and there - MyBBoard.pl staff is devoted to manipulate files included within MyBB script. They call themselves Polish MyBB support.

    They add file(s) with double dot (..) between name and extension. This puts your forum on serious risk by allowing anyone to upload (via ftp) any file and script will change (or add) .php extension so code included could be executed.

    They claim no responsibility for it and denies any acknowledgement.

    I would use cautiuon when dealing with MyBBoard.pl

    What to do if you download MyBB from their download section?

    1. Inspect all your directories (with its subdirs) on all your servers, against double dots between file name and extension,

    2. Change your password (and username - where possible) to ftp accounts. Hint: use a mixture of small/capital letters, digits, special chars etc. If you like - you can use password generators found with Google.

    3. Introduce hashing and salting of user's passwords. (This is must-have for administrative users).

    4. Id suggest you ban MyBBoard.pl as there may be some more activities like this in the future. Their IP is: 91.234.146.220).

    Best,
    pixelek
     
    Last edited: Jun 9, 2014
    Terry likes this.
  2. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    There was and I think still is a bug in UBBThreads which allows this to happen.
     
    pixelek likes this.
  3. pixelek

    pixelek Regular Member

    Joined:
    Oct 9, 2013
    Messages:
    229
    Likes Received:
    85
    Location:
    Torun, Poland
    Thats true, but mybboard.pl continous to offer this buggy version to download. Thats why I suggested banning them.....
     

Share This Page