So... MyBB, eh?

[Galen]

I'm curious as to what made you guys choose MyBB for the HostGUI board over the bigger (free) guns like phpBB or SMF. Not that I'm complaining. I recently jumped ship from phpBB and landed safely with MyBB and would recommend it to everyone. It's the best free forum system out there; people just haven't found that out yet. I'm just kinda curious why Jag went with a lesser-known system over something more established. Just seems... unusual.

Also, MyBB is rediculously easy to customize. You guys should axe the default theme and template and implement the one we all know and love from here

[JPC-Greg]

You answered your own question in there. I dont trust nor like the lack of features with phpbb too well. I didnt hear of MyBB til someone mentioned it here on our own forums but it rocks. Im going to try and heavily push that forum over phpbb. As for customizing , it was a late night thing putting that forum up and I havent had time to go back. You voluntering to make a theme?

[Vin DSL]

I'm sure you guys know this, but...

CVE: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mybb

NVD: http://nvd.nist.gov/nvd.cfm (Search for MyBB)

[Galen]

I didnt hear of MyBB til someone mentioned it here on our own forums

Hehe, that would be me


Vin:
http://community.mybboard.net/showth...588#pid545 88

Most of the vulnerabilities you mention require a user to already have access to the AdminCP to exploit them (and they've now been fixed).

Besides.... http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb

[Vin DSL]

Alrighty then!

I just wanted to make sure you guys realized MyBB is NOT a secure alternative to phpBB. Some ppl think, if they use a BB that nobody's heard of, they'll be flying below the hacker's radar...

[JPC-Greg]

heh, hoping that wasnt meant to mean phpbb is a secure source to begin with

If its online, its not secure..end of story. I just became an instant fanboy of mybb when i used it, installed it, and messed around with it for a few moments.

[Vin DSL]

Just for giggles, you might try running this against your site:

*Deleted by VinDSL -- Use your imagination*

CVE says there's no patch available...

[rainboy]

Not really nice to post proof of concept exploit links here .. asking for trouble if i may say . not that they should be hidden away. Just think you should not bring other people some new idea's

Any product is unsafe, some more as others.

Kind regards,
Patrick

[Ron]

that was nice...

[Vin DSL]

Bah, I run exploits against my web site (but NOT the server) all the time. So do the Turks and Persian hackers, et cetera -- I see them in my logs every day...

How else are you gonna know if your site is secure -- or not?

[Vin DSL]

that was nice...

LoL! You should talk...

[rainboy]

sure they are ... but it still not nice to invite people over and see what happens, wait till a exploit of such a product from another user brings your site down.. are you happy then ? but then.. maybe you are

[Vin DSL]

I guess you didn't understand what I said...

I run exploits against my own web site all the time. Sometimes I'll get bored and do it for 2-3 days straight -- run exploits -- type garbage in the address bar -- you name it! That's how you discover stuff like the former POC.

As a matter of fact, 'we' accidently discovered a bug in PHP that can bring down practically any MySQL server in the world! The script kiddies haven't dicovered this one yet, but it's only a matter of time. When they do, 'we' will be ready!

Isn't it better to be proactive about these things, rather than shutting the barndoor after the horse gets out?

[JPC-Greg]

As a matter of fact, 'we' accidently discovered a bug in PHP that can bring down practically any MySQL server in the world! The script kiddies haven't dicovered this one yet, but it's only a matter of time. When they do, 'we' will be ready!

You wanna share this tidbit with me?

[Vin DSL]

...it[s] still not nice to invite people over and see what happens...

Oh, BTW, I invited Jag and Galen to run this widely published vuln against their own site[s] -- to see what would happen (probably nothing) -- the same as I would do. I ran it against my own site immediately after I posted that message, even though I don't run MyBB.

I wasn't issuing a challenge to hackers, so don't get your tulips in a bunch...