MyBB Ideas

The MyBB Ideas site allows users to suggest new features and changes in MyBB and the MyBB Group to easily review them to decide what direction MyBB should head in. Search existing ideas.

Anty Hacker System

27 votes

Submitted by Shylios, 17th February 2008, 4:13:46 PM

Sorry for low eng.
A lot of hackers are giving for self Administrator,
Make new mod! If somebody (Super Admin, Admin, or somebody with acces to Admin Panel) giving for somebody Admin or Super Mod or Moderator rang.
Then Super Admin must confirm upgrade of user via email.

7 Comments

  1. I think what you mean is, if someone tries to hack a forum, and manages to create an administrator acount there must be a confirmation via email to give the person actual permisions or deny him the permisions. Besides that, if you as an administrator gives a person administrator privileges there has to go an email as well to confirm this upgrade.

    knol, 17th February 2008, 6:15:28 PM

  2. Let's ust hope that the admin doesn't use the same passwords for his email as for the forum.

    ct2k7, 19th February 2008, 1:21:03 AM

  3. Yeah thats a good idea i think.

    _Tim, 20th February 2008, 9:35:58 AM

  4. An issue with this is that most of the time, Hackers don't use MyBB in order to gain privaleges. They use SQL injections, which MyBB wouldn't be able to detect. So basically, if someone made themselves Admin using a SQL injection, than MyBB would have no idea.

    And if anyone of your members is promoting staff without your consent, then they probably shouldn't be staff :)

    nickman, 21st February 2008, 4:24:06 AM

  5. Is there perhaps a way to let Mybb check for changes in the permissions, by making a restore point via the admin. (And make the permission check run automatically when someone tries to enter the admin or every time the superadmin enters his board.) If the hacker had no previous rights mybb compares with the restore point and revokes automatically the permisions. And then unless a link is used by means of email the new admin of moderator gets the permissions or not. It must be a very competent hacker to know this and avoid it. Besides this, if the attacker uses MySQL injection, the damage may be less then normal or am I wrong?

    knol, 21st February 2008, 1:12:23 PM

  6. ^ Yes, we could make it slightly more difficult, but then, there's really nothing stopping a hacker from getting around that either.
    With your case, if we check some "restore point", what's stopping the hacker from changing that as well?

    For SQL injection, well, it partly depends on what the attacker can inject, considering the environment. If the attacker can inject their own SQL statement, well, your entire board can be compromised...

    ZiNgA BuRgA, 25th February 2008, 9:46:49 AM

  7. What would prevent the hacker from changing the email address of the Super Admin?

    D.Vader, 19th March 2008, 3:39:32 PM

Post a Comment

Before you can post a comment you must be a registered member of the MyBB Community Forums.

If you already have an account, log-in to it to post a comment or if you don't register a new account.