Topic: Ban Exploit

I was running PunBB 1.2.9 (now running 1.2.10) and somehow someone had been able to unban them self and then just to annoy my forum proceed to ban everyone ells. Is there any know exploit of this kind. Or does anyone have any ideas of how this was done. And I know it was not any of my moderators.

Re: Ban Exploit

I am not aware of any such vulnerability. It should be noted however, that a ban is set for the username and or IP address. Anyone can just register with a new username and a new IP. There is no way to protect the forums from that.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Ban Exploit

Thanks but that is not my concern. What I am conceded about is that someone is removing and adding bans and it is not me and can?t possibly be a moderator because there are none at the moment.

Re: Ban Exploit

No, there is no such exploit, nor is it possible through PunBB's code as far as I can tell (especially with the protection Rickard added in 1.2.9)
A couple possibilities:
The guy figured out your password and is logging in as you to unban himself
The guy can access your DB
Your PunBB isn't fully updated. He's using an exploit that you didn't fully patch to gain access.

Now, three things that might help you:
1. Upgrade to 1.2.10
The removal of reliance on X_FORWARDED_FOR means it becomes harder for him to fake his IP
2. Change yout password to something complicated and hard to figure out
3. If you have access to the access_log, paste us the relevant parts and we can try and figure out if it was actually an exploit

5 (edited by EMBOSSED 2005-11-03 00:46)

Re: Ban Exploit

Cheers mate.  must have been one of those big_smile