Topic: 1.42 big bug

on 1.42!a guy always can modify the admin's pwd!
and then turn my website into maintence mode
even if i block the changpass function!
this is important !anybody can fix it

2 (edited by zqzhr 2012-03-26 05:44)

Re: 1.42 big bug

no constructers or administrators give a response?


Re: 1.42 big bug

Please, tell step by step instructions how to reproduce this bug. Use bugreport page: http://punbb.informer.com/bugreport.php


Re: 1.42 big bug

i dont know how he modify the admin's pwd .
if i know ,i can easily block this function!
but by communication,he say he can hack any forum.but dont provide any information!
i just guess he use sql inject,but i dont know which page or form he inject !
now i'm getting crazy!


Re: 1.42 big bug

does punbb has no logs to record what the administrators op?


Re: 1.42 big bug

Logging is possible if the extension is installed pun_admin_log.
Vulnerabilities may be in the extensions.

Re: 1.42 big bug

Use apache logs for investigation - its logs every request.