REPORT / 01
Analysis Report · mybb mybb_1807 → mybb_1808
Shared security patch analysis results
02 ·
Share this analysis
copy link · embed report
03 ·
Findings
filter · search · paginate
Showing 0 to 0 of 0 results
admin/modules/style/themes.php
AI: Not Sure
--- cache/mybb_mybb_1807/admin/modules/style/themes.php 2025-12-06 11:32:55.122121849 +0000+++ cache/mybb_mybb_1808/admin/modules/style/themes.php 2025-12-06 11:32:55.914172993 +0000@@ -168,7 +168,7 @@ // Convert to mods site version codes $search_version = ($major_version_code/100).'x'; - $contents = fetch_remote_file("http://community.mybb.com/xmlbrowse.php?type=themes&version={$search_version}{$keywords}{$url_page}", $post_data);+ $contents = fetch_remote_file("https://community.mybb.com/xmlbrowse.php?type=themes&version={$search_version}{$keywords}{$url_page}", $post_data); if(!$contents) {@@ -214,9 +214,9 @@ ); $result['download_url']['value'] = htmlspecialchars_uni(html_entity_decode($result['download_url']['value'])); - $table->construct_cell("<img src=\"http://community.mybb.com/{$result['thumbnail']['value']}\" alt=\"{$lang->theme_thumbnail}\" title=\"{$lang->theme_thumbnail}\"/>", array("class" => "align_center", "width" => 100));+ $table->construct_cell("<img src=\"https://community.mybb.com/{$result['thumbnail']['value']}\" alt=\"{$lang->theme_thumbnail}\" title=\"{$lang->theme_thumbnail}\"/>", array("class" => "align_center", "width" => 100)); $table->construct_cell("<strong>{$result['name']['value']}</strong><br /><small>{$result['description']['value']}</small><br /><i><small>{$lang->created_by} {$result['author']['value']}</small></i>");- $table->construct_cell("<strong><a href=\"http://community.mybb.com/{$result['download_url']['value']}\" target=\"_blank\">{$lang->download}</a></strong>", array("class" => "align_center"));+ $table->construct_cell("<strong><a href=\"https://community.mybb.com/{$result['download_url']['value']}\" target=\"_blank\">{$lang->download}</a></strong>", array("class" => "align_center")); $table->construct_row(); } }@@ -286,11 +286,11 @@ // Recommended themes = Default; Otherwise search results & pagination if($mybb->request_method == "post") {- $table->output("<span style=\"float: right;\"><small><a href=\"http://community.mybb.com/mods.php?action=browse&category=themes\" target=\"_blank\">{$lang->browse_all_themes}</a></small></span>".$lang->sprintf($lang->browse_results_for_mybb, $mybb->version));+ $table->output("<span style=\"float: right;\"><small><a href=\"https://community.mybb.com/mods.php?action=browse&category=themes\" target=\"_blank\">{$lang->browse_all_themes}</a></small></span>".$lang->sprintf($lang->browse_results_for_mybb, $mybb->version)); } else {- $table->output("<span style=\"float: right;\"><small><a href=\"http://community.mybb.com/mods.php?action=browse&category=themes\" target=\"_blank\">{$lang->browse_all_themes}</a></small></span>".$lang->sprintf($lang->recommended_themes_for_mybb, $mybb->version));+ $table->output("<span style=\"float: right;\"><small><a href=\"https://community.mybb.com/mods.php?action=browse&category=themes\" target=\"_blank\">{$lang->browse_all_themes}</a></small></span>".$lang->sprintf($lang->recommended_themes_for_mybb, $mybb->version)); } echo "<br />".draw_admin_pagination($mybb->input['page'], 15, $tree['results']['attributes']['total'], "index.php?module=style-themes&action=browse{$keywords}&page={page}");@@ -2242,7 +2242,7 @@ $form->output_submit_wrapper($buttons); - echo '<script type="text/javascript" src="./jscripts/themes.js?ver=1804"></script>';+ echo '<script type="text/javascript" src="./jscripts/themes.js?ver=1808"></script>'; echo '<script type="text/javascript"> $(document).ready(function() {@@ -2348,7 +2348,7 @@ <script src="./jscripts/codemirror/mode/css/css.js"></script> <script src="./jscripts/codemirror/addon/dialog/dialog.js"></script> <script src="./jscripts/codemirror/addon/search/searchcursor.js"></script>-<script src="./jscripts/codemirror/addon/search/search.js"></script>+<script src="./jscripts/codemirror/addon/search/search.js?ver=1808"></script> '; } @@ -2624,7 +2624,7 @@ <script src="./jscripts/codemirror/mode/css/css.js"></script> <script src="./jscripts/codemirror/addon/dialog/dialog.js"></script> <script src="./jscripts/codemirror/addon/search/searchcursor.js"></script>-<script src="./jscripts/codemirror/addon/search/search.js"></script>+<script src="./jscripts/codemirror/addon/search/search.js?ver=1808"></script> '; } @@ -2887,7 +2887,7 @@ });</script>'; } - echo '<script type="text/javascript" src="./jscripts/themes.js?ver=1804"></script>';+ echo '<script type="text/javascript" src="./jscripts/themes.js?ver=1808"></script>'; echo '<script type="text/javascript" src="./jscripts/theme_properties.js"></script>'; echo '<script type="text/javascript"> $(function() {
AI Analysis
# Security Analysis of Diff
## Vulnerability 1
**Vulnerability Existed:** yes
**Insecure Transport (HTTP) - CWE-319** - CWE-319 - admin/modules/style/themes.php [171, 217, 219, 289, 293]
**Old Code:**
```php
$contents = fetch_remote_file("http://community.mybb.com/xmlbrowse.php?type=themes&version={$search_version}{$keywords}{$url_page}", $post_data);
```
```php
$table->construct_cell("<img src=\"http://community.mybb.com/{$result['thumbnail']['value']}\" alt=\"{$lang->theme_thumbnail}\" title=\"{$lang->theme_thumbnail}\"/>", array("class" => "align_center", "width" => 100));
```
```php
$table->construct_cell("<strong><a href=\"http://community.mybb.com/{$result['download_url']['value']}\" target=\"_blank\">{$lang->download}</a></strong>", array("class" => "align_center"));
```
```php
$table->output("<span style=\"float: right;\"><small><a href=\"http://community.mybb.com/mods.php?action=browse&category=themes\" target=\"_blank\">{$lang->browse_all_themes}</a></small></span>".$lang->sprintf($lang->browse_results_for_mybb, $mybb->version));
```
**Fixed Code:**
```php
$contents = fetch_remote_file("https://community.mybb.com/xmlbrowse.php?type=themes&version={$search_version}{$keywords}{$url_page}", $post_data);
```
```php
$table->construct_cell("<img src=\"https://community.mybb.com/{$result['thumbnail']['value']}\" alt=\"{$lang->theme_thumbnail}\" title=\"{$lang->theme_thumbnail}\"/>", array("class" => "align_center", "width" => 100));
```
```php
$table->construct_cell("<strong><a href=\"https://community.mybb.com/{$result['download_url']['value']}\" target=\"_blank\">{$lang->download}</a></strong>", array("class" => "align_center"));
```
```php
$table->output("<span style=\"float: right;\"><small><a href=\"https://community.mybb.com/mods.php?action=browse&category=themes\" target=\"_blank\">{$lang->browse_all_themes}</a></small></span>".$lang->sprintf($lang->browse_results_for_mybb, $mybb->version));
```
**Explanation:**
The vulnerability is the use of unencrypted HTTP protocol to fetch remote content and embed URLs from the MyBB community site. This creates multiple security risks:
1. **Remote Content Fetching (line 171)**: Using HTTP to fetch XML theme data via `fetch_remote_file()` allows man-in-the-middle (MITM) attackers to intercept and modify the theme metadata before it's processed, potentially injecting malicious themes or data.
2. **Image and Download URLs (lines 217, 219)**: Embedding HTTP URLs for theme thumbnails and download links allows attackers to intercept these requests and inject malicious content or serve compromised theme files to administrators.
3. **External Links (lines 289, 293)**: HTTP links in the UI allow attackers to perform MITM attacks on users clicking these links.
The fix upgrades all URLs from HTTP to HTTPS, ensuring encrypted transport and preventing MITM attacks. This protects the integrity of theme data and downloaded files.
---
## Vulnerability 2
**Vulnerability Existed:** not sure
**Cache Poisoning / Version Mismatch - CWE-497** - CWE-497 - admin/modules/style/themes.php [2245, 2351, 2627, 2890]
**Old Code:**
```php
echo '<script type="text/javascript" src="./jscripts/themes.js?ver=1804"></script>';
```
```php
<script src="./jscripts/codemirror/addon/search/search.js"></script>
```
**Fixed Code:**
```php
echo '<script type="text/javascript" src="./jscripts/themes.js?ver=1808"></script>';
```
```php
<script src="./jscripts/codemirror/addon/search/search.js?ver=1808"></script>
```
**Explanation:**
The version parameter updates from 1804 to 1808 serve as cache-busting identifiers. Without these version parameters (or with outdated ones), browsers may serve cached versions of JavaScript files from a previous MyBB release. This could cause:
1. **Functional issues**: Old JavaScript logic may not work with new HTML/backend changes
2. **Security issues**: If the old version had security vulnerabilities that were patched in 1808, users would still execute the vulnerable code
3. **Inconsistent behavior**: Mismatched versions between code and JavaScript can lead to unexpected interactions
The fix ensures that when updating to version 1808, all JavaScript files are properly cache-busted and the latest versions are loaded. This is a good practice for preventing stale script execution, though the security impact depends on whether actual vulnerabilities were fixed between these versions.
admin/modules/tools/adminlog.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/admin/modules/tools/adminlog.php 2025-12-06 11:32:55.122121849 +0000+++ cache/mybb_mybb_1808/admin/modules/tools/adminlog.php 2025-12-06 11:32:55.918173251 +0000@@ -102,7 +102,7 @@ "); while($user = $db->fetch_array($query)) {- $user_options[$user['uid']] = $user['username'];+ $user_options[$user['uid']] = htmlspecialchars_uni($user['username']); } $module_options = array();@@ -238,6 +238,7 @@ { $information = ''; $trow = alt_trow();+ $logitem['username'] = htmlspecialchars_uni($logitem['username']); $username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']); $logitem['data'] = my_unserialize($logitem['data']);@@ -283,7 +284,7 @@ "); while($user = $db->fetch_array($query)) {- $user_options[$user['uid']] = $user['username'];+ $user_options[$user['uid']] = htmlspecialchars_uni($user['username']); } $module_options = array();
AI Analysis
# Security Analysis Vulnerability Existed: **yes** **Cross-Site Scripting (XSS) - CWE-79** - admin/modules/tools/adminlog.php [Lines 105, 241, 286] **Old Code:** ```php $user_options[$user['uid']] = $user['username']; ``` **Fixed Code:** ```php $user_options[$user['uid']] = htmlspecialchars_uni($user['username']); ``` **Explanation:** The vulnerability is a Stored XSS issue where usernames retrieved from the database are directly output to HTML without proper escaping. An attacker with the ability to set a malicious username could inject JavaScript code that executes in the admin panel when viewing the admin log. The fix applies `htmlspecialchars_uni()` to encode HTML special characters, preventing the injected code from being interpreted as executable JavaScript. This is a critical fix applied consistently across three locations where usernames are used in dropdown options and display contexts. --- **Additional Context:** - Line 105: Username stored in dropdown options without escaping - Line 241: Username escaping added before being passed to `format_name()` function - Line 286: Duplicate fix applied at another location where the same pattern existed The use of `htmlspecialchars_uni()` (rather than standard `htmlspecialchars()`) suggests this is MyBB's custom function that handles Unicode characters properly while escaping HTML entities.
admin/modules/tools/file_verification.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/admin/modules/tools/file_verification.php 2025-12-06 11:32:55.122121849 +0000+++ cache/mybb_mybb_1808/admin/modules/tools/file_verification.php 2025-12-06 11:32:55.918173251 +0000@@ -36,7 +36,7 @@ $page->output_header($lang->file_verification." - ".$lang->checking); - $file = explode("\n", fetch_remote_file("http://www.mybb.com/checksums/release_mybb_{$mybb->version_code}.txt"));+ $file = explode("\n", fetch_remote_file("https://mybb.com/checksums/release_mybb_{$mybb->version_code}.txt")); if(strstr($file[0], "<?xml") !== false || empty($file[0])) {@@ -125,4 +125,3 @@ $page->output_confirm_action("index.php?module=tools-file_verification", $lang->file_verification_message, $lang->file_verification); }-
AI Analysis
Vulnerability Existed: no
Man-in-the-Middle (MitM) Attack / Unencrypted Communication - CWE-295 - admin/modules/tools/file_verification.php (Line 39)
Old Code:
```php
$file = explode("\n", fetch_remote_file("http://www.mybb.com/checksums/release_mybb_{$mybb->version_code}.txt"));
```
Fixed Code:
```php
$file = explode("\n", fetch_remote_file("https://mybb.com/checksums/release_mybb_{$mybb->version_code}.txt"));
```
Explanation:
This change upgrades an insecure HTTP connection to a secure HTTPS connection when fetching remote checksums. The old code used unencrypted HTTP, which exposed the checksum file transfer to potential Man-in-the-Middle attacks where an attacker could intercept and modify the checksums. This would allow an attacker to serve tampered files while the verification process would incorrectly validate them against the forged checksums. The fix eliminates this vulnerability by enforcing encrypted HTTPS communication and also corrects the domain from "www.mybb.com" to "mybb.com", ensuring the checksum verification process is secure.
admin/modules/tools/maillogs.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/admin/modules/tools/maillogs.php 2025-12-06 11:32:55.122121849 +0000+++ cache/mybb_mybb_1808/admin/modules/tools/maillogs.php 2025-12-06 11:32:55.918173251 +0000@@ -430,7 +430,7 @@ { $from_type = "email"; }- $form_container->output_row($lang->from, "", $form->generate_select_box('from_type', $user_email, $from_type)." ".$form->generate_text_box('from_value', $from_filter, array('id' => 'from_value')), 'from_value');+ $form_container->output_row($lang->from, "", $form->generate_select_box('from_type', $user_email, $from_type)." ".$form->generate_text_box('from_value', htmlspecialchars_uni($from_filter), array('id' => 'from_value')), 'from_value'); if($to_username) { $to_type = "user";@@ -439,7 +439,7 @@ { $to_type = "email"; }- $form_container->output_row($lang->to, "", $form->generate_select_box('to_type', $user_email, $to_type)." ".$form->generate_text_box('to_value', $to_filter, array('id' => 'to_value')), 'to_value');+ $form_container->output_row($lang->to, "", $form->generate_select_box('to_type', $user_email, $to_type)." ".$form->generate_text_box('to_value', htmlspecialchars_uni($to_filter), array('id' => 'to_value')), 'to_value'); $form_container->end(); $buttons = array(); $buttons[] = $form->generate_submit_button($lang->filter_user_email_log);
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - admin/modules/tools/maillogs.php [433, 442]
Old Code:
```php
$form->generate_text_box('from_value', $from_filter, array('id' => 'from_value'))
$form->generate_text_box('to_value', $to_filter, array('id' => 'to_value'))
```
Fixed Code:
```php
$form->generate_text_box('from_value', htmlspecialchars_uni($from_filter), array('id' => 'from_value'))
$form->generate_text_box('to_value', htmlspecialchars_uni($to_filter), array('id' => 'to_value'))
```
Explanation:
The variables `$from_filter` and `$to_filter` contain user-supplied filter values that are displayed in form input fields without HTML encoding. An attacker could inject malicious JavaScript by submitting filter parameters with payload content (e.g., `"><script>alert('xss')</script>`). When the form is redisplayed with these filters, the unescaped values would execute in the victim's browser. The fix applies `htmlspecialchars_uni()` to encode special HTML characters, preventing the injected code from being interpreted as executable script. This is a reflected XSS vulnerability in a form filter mechanism.
admin/modules/tools/modlog.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/admin/modules/tools/modlog.php 2025-12-06 11:32:55.122121849 +0000+++ cache/mybb_mybb_1808/admin/modules/tools/modlog.php 2025-12-06 11:32:55.918173251 +0000@@ -105,7 +105,7 @@ "); while($user = $db->fetch_array($query)) {- $user_options[$user['uid']] = $user['username'];+ $user_options[$user['uid']] = htmlspecialchars_uni($user['username']); } $form = new Form("index.php?module=tools-modlog&action=prune", "post");@@ -240,7 +240,7 @@ $logitem['action'] = htmlspecialchars_uni($logitem['action']); $logitem['dateline'] = my_date('relative', $logitem['dateline']); $trow = alt_trow();- $username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']);+ $username = format_name(htmlspecialchars_uni($logitem['username']), $logitem['usergroup'], $logitem['displaygroup']); $logitem['profilelink'] = build_profile_link($username, $logitem['uid'], "_blank"); if($logitem['tsubject']) {@@ -310,7 +310,7 @@ { $selected = "selected=\"selected\""; }- $user_options[$user['uid']] = $user['username'];+ $user_options[$user['uid']] = htmlspecialchars_uni($user['username']); } $sort_by = array(
AI Analysis
Vulnerability Existed: yes TRUE POSITIVE XSS (Cross-Site Scripting) - CWE-79 - admin/modules/tools/modlog.php [108, 243, 313] Old Code: ```php // Line 108 $user_options[$user['uid']] = $user['username']; // Line 243 $username = format_name($logitem['username'], $logitem['usergroup'], $logitem['displaygroup']); // Line 313 $user_options[$user['uid']] = $user['username']; ``` Fixed Code: ```php // Line 108 $user_options[$user['uid']] = htmlspecialchars_uni($user['username']); // Line 243 $username = format_name(htmlspecialchars_uni($logitem['username']), $logitem['usergroup'], $logitem['displaygroup']); // Line 313 $user_options[$user['uid']] = htmlspecialchars_uni($user['username']); ``` Explanation: User-supplied data (usernames from the database) was being output directly into HTML contexts without proper escaping. This creates an XSS vulnerability where a malicious username stored in the database could execute arbitrary JavaScript when the moderation log is viewed. The fix applies `htmlspecialchars_uni()` to escape special HTML characters before output, preventing the browser from interpreting username data as executable code. This is a standard output encoding defense against reflected and stored XSS attacks (CWE-79).
admin/modules/tools/spamlog.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/admin/modules/tools/spamlog.php 2025-12-06 11:32:55.122121849 +0000+++ cache/mybb_mybb_1808/admin/modules/tools/spamlog.php 2025-12-06 11:32:55.918173251 +0000@@ -279,7 +279,7 @@ $form = new Form("index.php?module=tools-spamlog", "post"); $form_container = new FormContainer($lang->filter_spam_logs);- $form_container->output_row($lang->spam_username, "", $form->generate_text_box('username', $mybb->input['username'], array('id' => 'username')), 'suername');+ $form_container->output_row($lang->spam_username, "", $form->generate_text_box('username', htmlspecialchars_uni($mybb->get_input('username')), array('id' => 'username')), 'suername'); $form_container->output_row($lang->spam_email, "", $form->generate_text_box('email', $mybb->input['email'], array('id' => 'email')), 'email'); $form_container->output_row($lang->spam_ip, "", $form->generate_text_box('ipaddress', $mybb->input['ipaddress'], array('id' => 'ipaddress')), 'ipaddress'); $form_container->output_row($lang->sort_by, "", $form->generate_select_box('sortby', $sort_by, $mybb->input['sortby'], array('id' => 'sortby'))." {$lang->in} ".$form->generate_select_box('order', $order_array, $order, array('id' => 'order'))." {$lang->order}", 'order');
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - admin/modules/tools/spamlog.php [282]
Old Code:
```php
$form->generate_text_box('username', $mybb->input['username'], array('id' => 'username'))
```
Fixed Code:
```php
$form->generate_text_box('username', htmlspecialchars_uni($mybb->get_input('username')), array('id' => 'username'))
```
Explanation:
The old code directly used `$mybb->input['username']` without any escaping when generating a text box in the form. User-supplied input from `$mybb->input['username']` could contain malicious JavaScript code that would be injected into the HTML attribute value, allowing an attacker to execute arbitrary scripts in the context of an admin's browser (Stored XSS if persisted, or Reflected XSS if passed via URL parameters).
The fix applies two important security measures:
1. **`htmlspecialchars_uni()`** - Escapes HTML special characters, converting potentially dangerous characters (like `<`, `>`, `"`, `'`) into HTML entities, preventing script injection
2. **`$mybb->get_input()`** - Uses the safer input retrieval method instead of direct array access, which may provide additional sanitization depending on the framework's implementation
This prevents the injected code from being interpreted as executable JavaScript and neutralizes the XSS vulnerability.
admin/modules/tools/system_health.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/admin/modules/tools/system_health.php 2025-12-06 11:32:55.122121849 +0000+++ cache/mybb_mybb_1808/admin/modules/tools/system_health.php 2025-12-06 11:32:55.918173251 +0000@@ -922,7 +922,7 @@ if($errors) {- $page->output_error("<p><em>{$errors} {$lang->error_chmod}</span></strong> {$lang->chmod_info} <a href=\"http://docs.mybb.com/HowTo_Chmod.html\" target=\"_blank\">MyBB Docs</a>.</em></p>");+ $page->output_error("<p><em>{$errors} {$lang->error_chmod}</span></strong> {$lang->chmod_info} <a href=\"https://docs.mybb.com/1.8/administration/security/file-permissions\" target=\"_blank\">MyBB Docs</a>.</em></p>"); } else {
AI Analysis
Vulnerability Existed: no
No CWE Identified - File: admin/modules/tools/system_health.php [Line 925]
Old Code:
```php
$page->output_error("<p><em>{$errors} {$lang->error_chmod}</span></strong> {$lang->chmod_info} <a href=\"http://docs.mybb.com/HowTo_Chmod.html\" target=\"_blank\">MyBB Docs</a>.</em></p>");
```
Fixed Code:
```php
$page->output_error("<p><em>{$errors} {$lang->error_chmod}</span></strong> {$lang->chmod_info} <a href=\"https://docs.mybb.com/1.8/administration/security/file-permissions\" target=\"_blank\">MyBB Docs</a>.</em></p>");
```
Explanation:
This change upgrades the documentation link from HTTP to HTTPS and updates the URL to point to a more specific documentation page. This is a security enhancement rather than a fix for an existing vulnerability. The change promotes secure communication (HTTPS) and improves the relevance of the documentation link, but the old code itself was not vulnerable to exploitation. The hardcoded URL in a static error message does not present a security risk in this context.
admin/modules/tools/warninglog.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/admin/modules/tools/warninglog.php 2025-12-06 11:32:55.122121849 +0000+++ cache/mybb_mybb_1808/admin/modules/tools/warninglog.php 2025-12-06 11:32:55.922173510 +0000@@ -110,7 +110,7 @@ $page->output_header($lang->warning_details); - $user_link = build_profile_link($user['username'], $user['uid'], "_blank");+ $user_link = build_profile_link(htmlspecialchars_uni($user['username']), $user['uid'], "_blank"); if(is_array($warn_errors)) {@@ -142,7 +142,7 @@ $table->construct_row(); } - $issuedby = build_profile_link($warning['username'], $warning['issuedby'], "_blank");+ $issuedby = build_profile_link(htmlspecialchars_uni($warning['username']), $warning['issuedby'], "_blank"); $notes = nl2br(htmlspecialchars_uni($warning['notes'])); $date_issued = my_date('relative', $warning['dateline']);@@ -215,7 +215,7 @@ { $date_revoked = my_date('relative', $warning['daterevoked']); $revoked_user = get_user($warning['revokedby']);- $revoked_by = build_profile_link($revoked_user['username'], $revoked_user['uid'], "_blank");+ $revoked_by = build_profile_link(htmlspecialchars_uni($revoked_user['username']), $revoked_user['uid'], "_blank"); $revoke_reason = nl2br(htmlspecialchars_uni($warning['revokereason'])); $revoke_table = new Table;@@ -391,7 +391,7 @@ } $trow = alt_trow();- $username = format_name($row['username'], $row['usergroup'], $row['displaygroup']);+ $username = format_name(htmlspecialchars_uni($row['username']), $row['usergroup'], $row['displaygroup']); if(!$row['uid']) { $username_link = $username;@@ -400,7 +400,7 @@ { $username_link = build_profile_link($username, $row['uid'], "_blank"); }- $mod_username = format_name($row['mod_username'], $row['mod_usergroup'], $row['mod_displaygroup']);+ $mod_username = format_name(htmlspecialchars_uni($row['mod_username']), $row['mod_usergroup'], $row['mod_displaygroup']); $mod_username_link = build_profile_link($mod_username, $row['mod_uid'], "_blank"); $issued_date = my_date('relative', $row['dateline']); $revoked_text = '';
AI Analysis
``` Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - admin/modules/tools/warninglog.php [Lines 113, 145, 218, 394, 403] Old Code: $user_link = build_profile_link($user['username'], $user['uid'], "_blank"); $issuedby = build_profile_link($warning['username'], $warning['issuedby'], "_blank"); $revoked_by = build_profile_link($revoked_user['username'], $revoked_user['uid'], "_blank"); $username = format_name($row['username'], $row['usergroup'], $row['displaygroup']); $mod_username = format_name($row['mod_username'], $row['mod_usergroup'], $row['mod_displaygroup']); Fixed Code: $user_link = build_profile_link(htmlspecialchars_uni($user['username']), $user['uid'], "_blank"); $issuedby = build_profile_link(htmlspecialchars_uni($warning['username']), $warning['issuedby'], "_blank"); $revoked_by = build_profile_link(htmlspecialchars_uni($revoked_user['username']), $revoked_user['uid'], "_blank"); $username = format_name(htmlspecialchars_uni($row['username']), $row['usergroup'], $row['displaygroup']); $mod_username = format_name(htmlspecialchars_uni($row['mod_username']), $row['mod_usergroup'], $row['mod_displaygroup']); Explanation: User-controlled data from the database (usernames) was being passed directly to display functions without HTML entity encoding. While the functions `build_profile_link()` and `format_name()` may perform some escaping internally, the explicit addition of `htmlspecialchars_uni()` ensures usernames containing special characters or HTML metacharacters (e.g., `<script>`, `'`, `"`, `&`) are properly encoded before being passed to these functions. This prevents Stored XSS attacks where a malicious username could be injected and executed in the browser when the warning log is displayed. The fix properly escapes all five instances of unescaped username variables across the different warning log display contexts. ```
admin/modules/user/admin_permissions.php
AI: 2 vulnerabilities
2 true positives
--- cache/mybb_mybb_1807/admin/modules/user/admin_permissions.php 2025-12-06 11:32:55.126122107 +0000+++ cache/mybb_mybb_1808/admin/modules/user/admin_permissions.php 2025-12-06 11:32:55.922173510 +0000@@ -210,7 +210,7 @@ $admin = $db->fetch_array($query); $permission_data = get_admin_permissions($uid, $admin['gid']);- $title = $admin['username'];+ $title = htmlspecialchars_uni($admin['username']); $page->add_breadcrumb_item($lang->user_permissions, "index.php?module=user-admin_permissions"); } elseif($uid < 0)@@ -489,7 +489,8 @@ } $usergroup_list = implode($lang->comma, $usergroup_list); - $table->construct_cell("<div class=\"float_right\"><img src=\"styles/{$page->style}/images/icons/{$perm_type}.png\" title=\"{$lang->perms_type_user}\" alt=\"{$perm_type}\" /></div><div><strong><a href=\"index.php?module=user-admin_permissions&action=edit&uid={$admin['uid']}\" title=\"{$lang->edit_user}\">{$admin['username']}</a></strong><br /><small>{$usergroup_list}</small></div>");+ $username = htmlspecialchars_uni($admin['username']);+ $table->construct_cell("<div class=\"float_right\"><img src=\"styles/{$page->style}/images/icons/{$perm_type}.png\" title=\"{$lang->perms_type_user}\" alt=\"{$perm_type}\" /></div><div><strong><a href=\"index.php?module=user-admin_permissions&action=edit&uid={$admin['uid']}\" title=\"{$lang->edit_user}\">{$username}</a></strong><br /><small>{$usergroup_list}</small></div>"); $table->construct_cell(my_date('relative', $admin['lastactive']), array("class" => "align_center"));
AI Analysis
Analyzing the provided diff for security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/admin_permissions.php - Line 213
Old Code:
```php
$title = $admin['username'];
```
Fixed Code:
```php
$title = htmlspecialchars_uni($admin['username']);
```
Explanation:
The `$admin['username']` variable was being directly assigned to `$title` without sanitization. Since `$title` is later rendered in HTML output (via breadcrumb), an attacker-controlled username containing HTML/JavaScript could execute arbitrary scripts in the admin's browser. The fix applies `htmlspecialchars_uni()` to encode special characters, preventing XSS payload execution.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/admin_permissions.php - Line 492-493
Old Code:
```php
$table->construct_cell("<div class=\"float_right\"><img src=\"styles/{$page->style}/images/icons/{$perm_type}.png\" title=\"{$lang->perms_type_user}\" alt=\"{$perm_type}\" /></div><div><strong><a href=\"index.php?module=user-admin_permissions&action=edit&uid={$admin['uid']}\" title=\"{$lang->edit_user}\">{$admin['username']}</a></strong><br /><small>{$usergroup_list}</small></div>");
```
Fixed Code:
```php
$username = htmlspecialchars_uni($admin['username']);
$table->construct_cell("<div class=\"float_right\"><img src=\"styles/{$page->style}/images/icons/{$perm_type}.png\" title=\"{$lang->perms_type_user}\" alt=\"{$perm_type}\" /></div><div><strong><a href=\"index.php?module=user-admin_permissions&action=edit&uid={$admin['uid']}\" title=\"{$lang->edit_user}\">{$username}</a></strong><br /><small>{$usergroup_list}</small></div>");
```
Explanation:
The `$admin['username']` variable was directly embedded in HTML output within a table cell without escaping. This creates an XSS vulnerability where malicious usernames could inject JavaScript. The fix pre-sanitizes the username using `htmlspecialchars_uni()` before embedding it in the HTML string, preventing script injection through the username field.
admin/modules/user/banning.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/admin/modules/user/banning.php 2025-12-06 11:32:55.126122107 +0000+++ cache/mybb_mybb_1808/admin/modules/user/banning.php 2025-12-06 11:32:55.922173510 +0000@@ -99,7 +99,7 @@ $cache->update_reportedcontent(); // Log admin action- log_admin_action($user['uid'], $user['username']);+ log_admin_action($user['uid'], htmlspecialchars_uni($user['username'])); flash_message($lang->success_pruned, 'success'); admin_redirect("index.php?module=user-banning");@@ -154,7 +154,7 @@ $cache->update_moderators(); // Log admin action- log_admin_action($ban['uid'], $user['username']);+ log_admin_action($ban['uid'], htmlspecialchars_uni($user['username'])); flash_message($lang->success_ban_lifted, 'success'); admin_redirect("index.php?module=user-banning");@@ -241,7 +241,7 @@ $cache->update_banned(); // Log admin action- log_admin_action($ban['uid'], $user['username']);+ log_admin_action($ban['uid'], htmlspecialchars_uni($user['username'])); flash_message($lang->success_ban_updated, 'success'); admin_redirect("index.php?module=user-banning");@@ -268,7 +268,7 @@ } $form_container = new FormContainer($lang->edit_ban);- $form_container->output_row($lang->ban_username, "", $user['username']);+ $form_container->output_row($lang->ban_username, "", htmlspecialchars_uni($user['username'])); $form_container->output_row($lang->ban_reason, "", $form->generate_text_area('reason', $mybb->input['reason'], array('id' => 'reason', 'maxlength' => '255')), 'reason'); if(count($banned_groups) > 1) {@@ -285,7 +285,7 @@ { if($time != '---') {- $friendly_time = my_date("D, jS M Y @ g:ia", ban_date2timestamp($time));+ $friendly_time = my_date("D, jS M Y @ {$mybb->settings['timeformat']}", ban_date2timestamp($time)); $period = "{$period} ({$friendly_time})"; } $length_list[$time] = $period;@@ -316,7 +316,7 @@ $user = get_user_by_username($mybb->input['username'], $options); // Are we searching a user?- if(isset($mybb->input['search']) && $mybb->get_input('search') != '')+ if(isset($mybb->input['search'])) { $where_sql = 'uid=\''.(int)$user['uid'].'\''; $where_sql_full = 'WHERE b.uid=\''.(int)$user['uid'].'\'';@@ -405,7 +405,7 @@ $cache->update_banned(); // Log admin action- log_admin_action($user['uid'], $user['username'], $lifted);+ log_admin_action($user['uid'], htmlspecialchars_uni($user['username']), $lifted); flash_message($lang->success_banned, 'success'); admin_redirect("index.php?module=user-banning");@@ -463,7 +463,7 @@ // Get the banned users while($ban = $db->fetch_array($query)) {- $profile_link = build_profile_link($ban['username'], $ban['uid'], "_blank");+ $profile_link = build_profile_link(htmlspecialchars_uni($ban['username']), $ban['uid'], "_blank"); $ban_date = my_date($mybb->settings['dateformat'], $ban['dateline']); if($ban['lifted'] == 'perm' || $ban['lifted'] == '' || $ban['bantime'] == 'perm' || $ban['bantime'] == '---') {@@ -497,7 +497,7 @@ { if($ban['admin'] == 0) {- $ban['adminuser'] = "MyBB System";+ $ban['adminuser'] = $lang->mybb_engine; } else {@@ -545,7 +545,7 @@ { if($time != "---") {- $friendly_time = my_date("D, jS M Y @ g:ia", ban_date2timestamp($time));+ $friendly_time = my_date("D, jS M Y @ {$mybb->settings['timeformat']}", ban_date2timestamp($time)); $period = "{$period} ({$friendly_time})"; } $length_list[$time] = $period;@@ -598,7 +598,7 @@ </script>'; $buttons[] = $form->generate_submit_button($lang->ban_user);- $buttons[] = $form->generate_submit_button($lang->search_user, array('name' => 'search'));+ $buttons[] = $form->generate_submit_button($lang->search_for_a_user, array('name' => 'search')); $form->output_submit_wrapper($buttons); $form->end();
AI Analysis
# Security Analysis of admin/modules/user/banning.php
## Vulnerability 1: Cross-Site Scripting (XSS) via Username Output
**Vulnerability Existed:** yes
**Cross-Site Scripting (XSS) - CWE-79 - admin/modules/user/banning.php [102, 157, 244, 271, 408, 466]**
**Old Code:**
```php
log_admin_action($user['uid'], $user['username']);
// and
$form_container->output_row($lang->ban_username, "", $user['username']);
// and
$profile_link = build_profile_link($ban['username'], $ban['uid'], "_blank");
```
**Fixed Code:**
```php
log_admin_action($user['uid'], htmlspecialchars_uni($user['username']));
// and
$form_container->output_row($lang->ban_username, "", htmlspecialchars_uni($user['username']));
// and
$profile_link = build_profile_link(htmlspecialchars_uni($ban['username']), $ban['uid'], "_blank");
```
**Explanation:**
Usernames from the database were being output to HTML without proper escaping. An attacker with the ability to create or modify usernames in the database could inject malicious JavaScript code that would execute in the context of admin users viewing the banning module. The fix applies `htmlspecialchars_uni()` (MyBB's HTML encoding function) to escape special characters before output, preventing XSS payload execution.
---
## Vulnerability 2: Hardcoded Time Format Vulnerability
**Vulnerability Existed:** yes
**Improper Neutralization of Input During Web Page Generation - CWE-79 - admin/modules/user/banning.php [288, 548]**
**Old Code:**
```php
$friendly_time = my_date("D, jS M Y @ g:ia", ban_date2timestamp($time));
```
**Fixed Code:**
```php
$friendly_time = my_date("D, jS M Y @ {$mybb->settings['timeformat']}", ban_date2timestamp($time));
```
**Explanation:**
The hardcoded time format `"g:ia"` ignored user/site settings for time display. While this itself isn't a direct vulnerability, using configurable time format from `$mybb->settings['timeformat']` is a best practice. This fix respects admin-configured time formats and prevents potential inconsistencies or injection vectors if the time format could be controlled externally.
---
## Non-Vulnerability 3: Input Validation Change
**Vulnerability Existed:** no
**Input Validation Logic - No CWE - admin/modules/user/banning.php [319]**
**Old Code:**
```php
if(isset($mybb->input['search']) && $mybb->get_input('search') != '')
```
**Fixed Code:**
```php
if(isset($mybb->input['search']))
```
**Explanation:**
This change removes the redundant empty string check. The `isset()` check is sufficient to determine if the search parameter exists. This is not a security vulnerability fix but rather a code simplification. The original code was overly defensive; the fix correctly identifies that the presence of the parameter is what matters for the search logic.
---
## Non-Vulnerability 4: Localization String Update
**Vulnerability Existed:** no
**Localization Update - No CWE - admin/modules/user/banning.php [598]**
**Old Code:**
```php
$buttons[] = $form->generate_submit_button($lang->search_user, array('name' => 'search'));
```
**Fixed Code:**
```php
$buttons[] = $form->generate_submit_button($lang->search_for_a_user, array('name' => 'search'));
```
**Explanation:**
This is a localization/UI text update changing the button label from `$lang->search_user` to `$lang->search_for_a_user`. This is not a security fix but rather an improvement to user-facing text for clarity.
---
## Non-Vulnerability 5: Localization String Update (System Label)
**Vulnerability Existed:** no
**Localization Update - No CWE - admin/modules/user/banning.php [501]**
**Old Code:**
```php
$ban['adminuser'] = "MyBB System";
```
**Fixed Code:**
```php
$ban['adminuser'] = $lang->mybb_engine;
```
**Explanation:**
This change replaces a hardcoded English string with a localized language constant `$lang->mybb_engine`, improving internationalization. This is not a security vulnerability but a UX/localization improvement.
---
## Summary
The patch addresses **one primary security vulnerability**: **XSS via unescaped username output** in multiple locations throughout the banning module. This is a significant vulnerability that could allow authenticated database-level attackers to execute arbitrary JavaScript in admin contexts. The fix consistently applies HTML entity encoding via `htmlspecialchars_uni()` to all user-controlled output points. Additional changes are code quality improvements and localization enhancements.
admin/modules/user/groups.php
AI: 7 vulnerabilities
2 false positives, 4 true positives
--- cache/mybb_mybb_1807/admin/modules/user/groups.php 2025-12-06 11:32:55.126122107 +0000+++ cache/mybb_mybb_1808/admin/modules/user/groups.php 2025-12-06 11:32:55.922173510 +0000@@ -64,8 +64,8 @@ "candeletereputations" => 1, "reputationpower" => 1, "maxreputationsday" => 5,- "maxreputationsperuser" => 5,- "maxreputationsperthread" => 5,+ "maxreputationsperuser" => 0,+ "maxreputationsperthread" => 0, "candisplaygroup" => 0, "attachquota" => 5000, "cancustomtitle" => 0,@@ -283,7 +283,7 @@ while($request = $db->fetch_array($query)) { $table->construct_cell($form->generate_check_box("users[]", $request['uid'], ""));- $table->construct_cell("<strong>".build_profile_link($request['username'], $request['uid'], "_blank")."</strong>");+ $table->construct_cell("<strong>".build_profile_link(htmlspecialchars_uni($request['username']), $request['uid'], "_blank")."</strong>"); $table->construct_cell(htmlspecialchars_uni($request['reason'])); $table->construct_cell(my_date('relative', $request['dateline']), array('class' => 'align_center')); @@ -364,9 +364,10 @@ $cache->update_groupleaders(); // Log admin action- log_admin_action($user['uid'], $user['username'], $group['gid'], htmlspecialchars_uni($group['title']));+ log_admin_action($user['uid'], htmlspecialchars_uni($user['username']), $group['gid'], htmlspecialchars_uni($group['title'])); - flash_message("{$user['username']} ".$lang->success_user_made_leader, 'success');+ $username = htmlspecialchars_uni($user['username']);+ flash_message("{$username} ".$lang->success_user_made_leader, 'success'); admin_redirect("index.php?module=user-groups&action=leaders&gid={$group['gid']}"); } else@@ -481,7 +482,7 @@ } $form_container = new FormContainer($lang->add_group_leader.' '.htmlspecialchars_uni($group['title']));- $form_container->output_row($lang->username." <em>*</em>", "", $form->generate_text_box('username', $mybb->input['username'], array('id' => 'username')), 'username');+ $form_container->output_row($lang->username." <em>*</em>", "", $form->generate_text_box('username', htmlspecialchars_uni($mybb->get_input('username')), array('id' => 'username')), 'username'); $form_container->output_row($lang->can_manage_group_members, $lang->can_manage_group_members_desc, $form->generate_yes_no_radio('canmanagemembers', $mybb->input['canmanagemembers'])); $form_container->output_row($lang->can_manage_group_join_requests, $lang->can_manage_group_join_requests_desc, $form->generate_yes_no_radio('canmanagerequests', $mybb->input['canmanagerequests'])); $form_container->output_row($lang->can_invite_group_members, $lang->can_invite_group_members_desc, $form->generate_yes_no_radio('caninvitemembers', $mybb->input['caninvitemembers']));@@ -571,7 +572,7 @@ $cache->update_groupleaders(); // Log admin action- log_admin_action($leader['uid'], $leader['username'], $group['gid'], htmlspecialchars_uni($group['title']));+ log_admin_action($leader['uid'], htmlspecialchars_uni($leader['username']), $group['gid'], htmlspecialchars_uni($group['title'])); flash_message($lang->success_group_leader_deleted, 'success'); admin_redirect("index.php?module=user-groups&action=leaders&gid={$group['gid']}");@@ -618,7 +619,7 @@ $cache->update_groupleaders(); // Log admin action- log_admin_action($leader['uid'], $leader['username'], $group['gid'], htmlspecialchars_uni($group['title']));+ log_admin_action($leader['uid'], htmlspecialchars_uni($leader['username']), $group['gid'], htmlspecialchars_uni($group['title'])); flash_message($lang->success_group_leader_updated, 'success'); admin_redirect("index.php?module=user-groups&action=leaders&gid={$group['gid']}");@@ -630,6 +631,7 @@ } $page->add_breadcrumb_item($lang->group_leaders_for.' '.htmlspecialchars_uni($group['title']), "index.php?module=user-groups&action=leaders&gid={$group['gid']}");+ $leader['username'] = htmlspecialchars_uni($leader['username']); $page->add_breadcrumb_item($lang->edit_leader." {$leader['username']}"); $page->output_header($lang->edit_group_leader);@@ -1147,6 +1149,7 @@ $form->generate_check_box("candeletereputations", 1, $lang->can_delete_own_reputation, array("checked" => $mybb->input['candeletereputations'])), "{$lang->points_to_award_take}<br /><small class=\"input\">{$lang->points_to_award_take_desc}</small><br />".$form->generate_numeric_field('reputationpower', $mybb->input['reputationpower'], array('id' => 'reputationpower', 'class' => 'field50', 'min' => 0)), "{$lang->max_reputations_perthread}<br /><small class=\"input\">{$lang->max_reputations_perthread_desc}</small><br />".$form->generate_numeric_field('maxreputationsperthread', $mybb->input['maxreputationsperthread'], array('id' => 'maxreputationsperthread', 'class' => 'field50', 'min' => 0)),+ "{$lang->max_reputations_peruser}<br /><small class=\"input\">{$lang->max_reputations_peruser_desc}</small><br />".$form->generate_numeric_field('maxreputationsperuser', $mybb->input['maxreputationsperuser'], array('id' => 'maxreputationsperuser', 'class' => 'field50', 'min' => 0)), "{$lang->max_reputations_daily}<br /><small class=\"input\">{$lang->max_reputations_daily_desc}</small><br />".$form->generate_numeric_field('maxreputationsday', $mybb->input['maxreputationsday'], array('id' => 'maxreputationsday', 'class' => 'field50', 'min' => 0)) ); $form_container->output_row($lang->reputation_system, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $reputation_options)."</div>");@@ -1440,7 +1443,7 @@ "); while($leader = $db->fetch_array($query)) {- $leaders[$leader['gid']][] = build_profile_link($leader['username'], $leader['uid'], "_blank");+ $leaders[$leader['gid']][] = build_profile_link(htmlspecialchars_uni($leader['username']), $leader['uid'], "_blank"); } $form_container = new FormContainer($lang->user_groups);
AI Analysis
I'll analyze this code diff for security vulnerabilities following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/groups.php - Line 286
**Old Code:**
```php
$table->construct_cell("<strong>".build_profile_link($request['username'], $request['uid'], "_blank")."</strong>");
```
**Fixed Code:**
```php
$table->construct_cell("<strong>".build_profile_link(htmlspecialchars_uni($request['username']), $request['uid'], "_blank")."</strong>");
```
Explanation:
The username from the database was being passed directly to `build_profile_link()` without HTML encoding. If a username contains special characters or malicious HTML/JavaScript, it could be rendered without escaping, leading to XSS. The fix wraps the username with `htmlspecialchars_uni()` to properly escape HTML entities.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/groups.php - Line 367
**Old Code:**
```php
log_admin_action($user['uid'], $user['username'], $group['gid'], htmlspecialchars_uni($group['title']));
flash_message("{$user['username']} ".$lang->success_user_made_leader, 'success');
```
**Fixed Code:**
```php
log_admin_action($user['uid'], htmlspecialchars_uni($user['username']), $group['gid'], htmlspecialchars_uni($group['title']));
$username = htmlspecialchars_uni($user['username']);
flash_message("{$username} ".$lang->success_user_made_leader, 'success');
```
Explanation:
The username was being logged and displayed in a flash message without HTML encoding. This could allow XSS if usernames contain malicious content. The fix encodes the username before passing it to both `log_admin_action()` and `flash_message()`.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/groups.php - Line 485
**Old Code:**
```php
$form->generate_text_box('username', $mybb->input['username'], array('id' => 'username'))
```
**Fixed Code:**
```php
$form->generate_text_box('username', htmlspecialchars_uni($mybb->get_input('username')), array('id' => 'username'))
```
Explanation:
User input from `$mybb->input['username']` was being directly inserted into a form field without escaping. An attacker could inject malicious HTML/JavaScript that would be reflected in the form. The fix encodes the input with `htmlspecialchars_uni()` to prevent XSS.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/groups.php - Line 575
**Old Code:**
```php
log_admin_action($leader['uid'], $leader['username'], $group['gid'], htmlspecialchars_uni($group['title']));
```
**Fixed Code:**
```php
log_admin_action($leader['uid'], htmlspecialchars_uni($leader['username']), $group['gid'], htmlspecialchars_uni($group['title']));
```
Explanation:
Similar to Vulnerability 2, the username was passed to `log_admin_action()` without HTML encoding. The fix wraps it with `htmlspecialchars_uni()` to prevent XSS in log entries.
---
**Vulnerability 5:**
Vulnerability Existed: yes
FALSE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/groups.php - Line 622
**Old Code:**
```php
log_admin_action($leader['uid'], $leader['username'], $group['gid'], htmlspecialchars_uni($group['title']));
```
**Fixed Code:**
```php
log_admin_action($leader['uid'], htmlspecialchars_uni($leader['username']), $group['gid'], htmlspecialchars_uni($group['title']));
```
Explanation:
Same XSS vulnerability in `log_admin_action()`. The username is encoded in the fix to prevent XSS.
---
**Vulnerability 6:**
Vulnerability Existed: yes
TRUE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/groups.php - Line 634
**Old Code:**
```php
$page->add_breadcrumb_item($lang->edit_leader." {$leader['username']}");
```
**Fixed Code:**
```php
$leader['username'] = htmlspecialchars_uni($leader['username']);
$page->add_breadcrumb_item($lang->edit_leader." {$leader['username']}");
```
Explanation:
The username was being directly interpolated into a breadcrumb without escaping. The fix pre-encodes the username before using it in the breadcrumb display.
---
**Vulnerability 7:**
Vulnerability Existed: yes
TRUE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - admin/modules/user/groups.php - Line 1443
**Old Code:**
```php
$leaders[$leader['gid']][] = build_profile_link($leader['username'], $leader['uid'], "_blank");
```
**Fixed Code:**
```php
$leaders[$leader['gid']][] = build_profile_link(htmlspecialchars_uni($leader['username']), $leader['uid'], "_blank");
```
Explanation:
The leader username was passed to `build_profile_link()` without encoding. The fix properly escapes the username with `htmlspecialchars_uni()` to prevent XSS.
---
**Non-Vulnerability Change:**
Lines 67-68: The change from `5` to `0` for `maxreputationsperuser` and `maxreputationsperthread` is a configuration/logic change, not a security fix. This disables certain reputation features but is not a vulnerability fix.
admin/modules/user/mass_mail.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/admin/modules/user/mass_mail.php 2025-12-06 11:32:55.126122107 +0000+++ cache/mybb_mybb_1808/admin/modules/user/mass_mail.php 2025-12-06 11:32:55.926173768 +0000@@ -82,6 +82,8 @@ $html_personalisation = substr($html_personalisation, 0, -2)."');\n// --></script>\n"; $text_personalisation = substr($text_personalisation, 0, -2)."');\n// --></script>\n"; + $localized_time_offset = $mybb->user['timezone']*3600 + $mybb->user['dst']*3600;+ // All done here if($mybb->request_method == "post") {@@ -93,7 +95,7 @@ // Delivering in the future else {- if(strstr($mybb->input['deliverytime_time'], "pm"))+ if(stristr($mybb->input['deliverytime_time'], "pm")) { $mybb->input['deliveryhour'] += 12; }@@ -104,7 +106,7 @@ $exploded = explode(' ', $exploded[1]); $mybb->input['deliveryminute'] = (int)$exploded[0]; - $delivery_date = gmmktime($mybb->input['deliveryhour'], $mybb->input['deliveryminute'], 0, $mybb->input['endtime_month'], $mybb->input['endtime_day'], $mybb->input['endtime_year']) + $mybb->user['timezone']*3600;+ $delivery_date = gmmktime($mybb->input['deliveryhour'], $mybb->input['deliveryminute'], 0, $mybb->input['endtime_month'], $mybb->input['endtime_day'], $mybb->input['endtime_year']) - $localized_time_offset; if($delivery_date <= TIME_NOW) { $errors[] = $lang->error_only_in_future;@@ -222,15 +224,15 @@ } else {+ // correct date by timezone and dst+ $offset = $input['delivery_type'] = "future";- $time = date("d-n-Y-h-i-a", $email['senddate']);+ $time = gmdate("d-n-Y", $email['senddate'] + $localized_time_offset); $time = explode('-', $time);- $input['deliveryhour'] = (int)$time[3];- $input['deliveryminute'] = (int)$time[4]; $input['deliverymonth'] = (int)$time[1]; $input['deliveryday'] = (int)$time[0]; $input['deliveryyear'] = (int)$time[2];- $input['deliverymeridiem'] = $time[5];+ $input['endtime_time'] = gmdate($mybb->settings['timeformat'], $email['senddate'] + $localized_time_offset); $delivery_type_checked['future'] = " checked=\"checked\""; } }@@ -240,37 +242,15 @@ $delivery_type_checked['now'] = " checked=\"checked\""; } }-- if($input['deliveryhour'])- {- $input['endtime_time'] = (int)$input['deliveryhour'].":";- }- else- {- $input['endtime_time'] = "12:";- }-- if($input['deliveryminute'])- {- $input['endtime_time'] .= (int)$input['deliveryminute']." ";- }- else- {- $input['endtime_time'] .= "00 ";- }-- if($input['deliverymeridiem'])- {- $input['endtime_time'] .= $input['deliverymeridiem'];- }- else+ + if(!$input['endtime_time']) {- $input['endtime_time'] .= "am";+ $input['endtime_time'] = gmdate($mybb->settings['timeformat'], TIME_NOW + $localized_time_offset); } if(!$input['deliveryyear']) {- $enddateyear = gmdate('Y', TIME_NOW);+ $enddateyear = gmdate('Y', TIME_NOW + $localized_time_offset); } else {@@ -279,7 +259,7 @@ if(!$input['deliverymonth']) {- $input['enddatemonth'] = gmdate('n', TIME_NOW);+ $input['enddatemonth'] = gmdate('n', TIME_NOW + $localized_time_offset); } else {@@ -288,7 +268,7 @@ if(!$input['deliveryday']) {- $input['enddateday'] = gmdate('j', TIME_NOW);+ $input['enddateday'] = gmdate('j', TIME_NOW + $localized_time_offset); } else {@@ -557,7 +537,7 @@ $form_container = new FormContainer("{$lang->edit_mass_mail}: {$lang->define_the_recipients}"); - $form_container->output_row($lang->username_contains, "", $form->generate_text_box('conditions[username]', $input['conditions']['username'], array('id' => 'username')), 'username');+ $form_container->output_row($lang->username_contains, "", $form->generate_text_box('conditions[username]', htmlspecialchars_uni($input['conditions']['username']), array('id' => 'username')), 'username'); $form_container->output_row($lang->email_addr_contains, "", $form->generate_text_box('conditions[email]', $input['conditions']['email'], array('id' => 'email')), 'email'); $query = $db->simple_select("usergroups", "gid, title", "gid != '1'", array('order_by' => 'title'));@@ -634,6 +614,8 @@ $text_personalisation = substr($text_personalisation, 0, -2)."');\n// --></script>\n"; $plugins->run_hooks("admin_user_mass_email_send_start");+ + $localized_time_offset = $mybb->user['timezone']*3600 + $mybb->user['dst']*3600; if($mybb->input['step'] == 4) {@@ -648,7 +630,7 @@ // Delivering in the future else {- if(strstr($mybb->input['deliverytime_time'], "pm"))+ if(stristr($mybb->input['deliverytime_time'], "pm")) { $mybb->input['deliveryhour'] += 12; }@@ -659,7 +641,7 @@ $exploded = explode(' ', $exploded[1]); $mybb->input['deliveryminute'] = (int)$exploded[0]; - $delivery_date = gmmktime($mybb->input['deliveryhour'], $mybb->input['deliveryminute'], 0, $mybb->input['endtime_month'], $mybb->input['endtime_day'], $mybb->input['endtime_year']) + $mybb->user['timezone']*3600;+ $delivery_date = gmmktime($mybb->input['deliveryhour'], $mybb->input['deliveryminute'], 0, $mybb->input['endtime_month'], $mybb->input['endtime_day'], $mybb->input['endtime_year'])- $localized_time_offset; if($delivery_date <= TIME_NOW) { $errors[] = $lang->error_only_in_future;@@ -707,14 +689,12 @@ else { $input['delivery_type'] = "future";- $time = date("d-n-Y-h-i-a", $email['senddate']);+ $time = gmdate("d-n-Y", $email['senddate'] + $localized_time_offset); $time = explode('-', $time);- $input['deliveryhour'] = (int)$time[3];- $input['deliveryminute'] = (int)$time[4]; $input['deliverymonth'] = (int)$time[1]; $input['deliveryday'] = (int)$time[0]; $input['deliveryyear'] = (int)$time[2];- $input['deliverymeridiem'] = $time[5];+ $input['endtime_time'] = gmdate($mybb->settings['timeformat'], $email['senddate'] + $localized_time_offset); $delivery_type_checked['future'] = " checked=\"checked\""; } }@@ -766,36 +746,14 @@ $table->output("{$lang->send_mass_mail}: {$lang->step_four} - {$lang->review_message}"); - if($input['deliveryhour'])- {- $input['endtime_time'] = (int)$input['deliveryhour'].":";- }- else- {- $input['endtime_time'] = "12:";- }-- if($input['deliveryminute'])- {- $input['endtime_time'] .= (int)$input['deliveryminute']." ";- }- else- {- $input['endtime_time'] .= "00 ";- }-- if($input['deliverymeridiem'])- {- $input['endtime_time'] .= $input['deliverymeridiem'];- }- else+ if(!$input['endtime_time']) {- $input['endtime_time'] .= "am";+ $input['endtime_time'] = gmdate($mybb->settings['timeformat'], TIME_NOW + $localized_time_offset); } if(!$input['deliveryyear']) {- $enddateyear = gmdate('Y', TIME_NOW);+ $enddateyear = gmdate('Y', TIME_NOW + $localized_time_offset); } else {@@ -804,7 +762,7 @@ if(!$input['deliverymonth']) {- $input['enddatemonth'] = gmdate('n', TIME_NOW);+ $input['enddatemonth'] = gmdate('n', TIME_NOW + $localized_time_offset); } else {@@ -813,7 +771,7 @@ if(!$input['deliveryday']) {- $input['enddateday'] = gmdate('j', TIME_NOW);+ $input['enddateday'] = gmdate('j', TIME_NOW + $localized_time_offset); } else {@@ -993,7 +951,7 @@ $form_container = new FormContainer("{$lang->send_mass_mail}: {$lang->step_three} - {$lang->define_the_recipients}"); - $form_container->output_row($lang->username_contains, "", $form->generate_text_box('conditions[username]', $input['conditions']['username'], array('id' => 'username')), 'username');+ $form_container->output_row($lang->username_contains, "", $form->generate_text_box('conditions[username]', htmlspecialchars_uni($input['conditions']['username']), array('id' => 'username')), 'username'); $form_container->output_row($lang->email_addr_contains, "", $form->generate_text_box('conditions[email]', $input['conditions']['email'], array('id' => 'email')), 'email'); $options = array();
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - admin/modules/user/mass_mail.php - Line 560, 954
Old Code:
```php
$form_container->output_row($lang->username_contains, "", $form->generate_text_box('conditions[username]', $input['conditions']['username'], array('id' => 'username')), 'username');
```
Fixed Code:
```php
$form_container->output_row($lang->username_contains, "", $form->generate_text_box('conditions[username]', htmlspecialchars_uni($input['conditions']['username']), array('id' => 'username')), 'username');
```
Explanation:
The `$input['conditions']['username']` variable was being passed directly to the form field without proper HTML escaping. This allows an attacker to inject malicious JavaScript code through the username condition field. The fix applies `htmlspecialchars_uni()` to properly escape HTML special characters, preventing XSS attacks by converting characters like `<`, `>`, `&`, and quotes into their HTML entity equivalents.
---
Vulnerability Existed: not sure
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - admin/modules/user/mass_mail.php - Line 560, 954
Old Code:
```php
$form_container->output_row($lang->email_addr_contains, "", $form->generate_text_box('conditions[email]', $input['conditions']['email'], array('id' => 'email')), 'email');
```
Fixed Code:
```php
$form_container->output_row($lang->email_addr_contains, "", $form->generate_text_box('conditions[email]', $input['conditions']['email'], array('id' => 'email')), 'email');
```
Explanation:
The email field (`$input['conditions']['email']`) is not escaping the user input in this diff. While the username field was fixed with `htmlspecialchars_uni()`, the email field remains unescaped. This is a potential XSS vulnerability unless the `generate_text_box()` function internally performs escaping. Without seeing the implementation of `generate_text_box()`, it's uncertain whether this is vulnerable, but following the pattern of the fix applied to the username field, this should likely also be escaped.
admin/modules/user/users.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/admin/modules/user/users.php 2025-12-06 11:32:55.126122107 +0000+++ cache/mybb_mybb_1808/admin/modules/user/users.php 2025-12-06 11:32:55.930174026 +0000@@ -254,7 +254,7 @@ my_mail($user['email'], $lang->sprintf($lang->emailsubject_activateaccount, $mybb->settings['bbname']), $message); // Log admin action- log_admin_action($user['uid'], $user['username']);+ log_admin_action($user['uid'], htmlspecialchars_uni($user['username'])); if($mybb->input['from'] == "home") {@@ -359,7 +359,7 @@ $plugins->run_hooks("admin_user_users_add_commit"); // Log admin action- log_admin_action($user_info['uid'], $user_info['username']);+ log_admin_action($user_info['uid'], htmlspecialchars_uni($user_info['username'])); flash_message($lang->success_user_created, 'success'); admin_redirect("index.php?module=user-users&action=edit&uid={$user_info['uid']}");@@ -393,7 +393,7 @@ } $form_container = new FormContainer($lang->required_profile_info);- $form_container->output_row($lang->username." <em>*</em>", "", $form->generate_text_box('username', $mybb->input['username'], array('id' => 'username')), 'username');+ $form_container->output_row($lang->username." <em>*</em>", "", $form->generate_text_box('username', htmlspecialchars_uni($mybb->get_input('username')), array('id' => 'username')), 'username'); $form_container->output_row($lang->password." <em>*</em>", "", $form->generate_password_box('password', $mybb->input['password'], array('id' => 'password', 'autocomplete' => 'off')), 'password'); $form_container->output_row($lang->confirm_password." <em>*</em>", "", $form->generate_password_box('confirm_password', $mybb->input['confirm_password'], array('id' => 'confirm_new_password')), 'confirm_new_password'); $form_container->output_row($lang->email_address." <em>*</em>", "", $form->generate_text_box('email', $mybb->input['email'], array('id' => 'email')), 'email');@@ -836,7 +836,7 @@ } // Log admin action- log_admin_action($user['uid'], $mybb->input['username']);+ log_admin_action($user['uid'], htmlspecialchars_uni($mybb->input['username'])); flash_message($lang->success_user_updated, 'success'); admin_redirect("index.php?module=user-users");@@ -923,7 +923,7 @@ <link rel="stylesheet" href="../jscripts/sceditor/editor_themes/mybb.css" type="text/css" media="all" /> <script type="text/javascript" src="../jscripts/sceditor/jquery.sceditor.bbcode.min.js?ver=1805"></script>- <script type="text/javascript" src="../jscripts/bbcodes_sceditor.js?ver=1804"></script>+ <script type="text/javascript" src="../jscripts/bbcodes_sceditor.js?ver=1808"></script> <script type="text/javascript" src="../jscripts/sceditor/editor_plugins/undo.js?ver=1805"></script> EOF; $page->output_header($lang->edit_user);@@ -985,14 +985,21 @@ "height" => 120 ); }- if(my_substr($user['avatar'], 0, 7) !== 'http://' && my_substr($user['avatar'], 0, 8) !== 'https://')+ if(!my_validate_url($user['avatar'])) { $user['avatar'] = "../{$user['avatar']}\n"; } } else {- $user['avatar'] = "../".$mybb->settings['useravatar'];+ if(my_validate_url($mybb->settings['useravatar']))+ {+ $user['avatar'] = str_replace('{theme}', 'images', $mybb->settings['useravatar']);+ }+ else+ {+ $user['avatar'] = "../".str_replace('{theme}', 'images', $mybb->settings['useravatar']);+ } $scaled_dimensions = array( "width" => 120, "height" => 120@@ -1098,7 +1105,8 @@ $table->construct_cell("<strong>{$lang->last_known_ip}:</strong> ".my_inet_ntop($db->unescape_binary($user['lastip']))); $table->construct_row(); - $table->output("{$lang->user_overview}: {$user['username']}");+ $username = htmlspecialchars_uni($user['username']);+ $table->output("{$lang->user_overview}: {$username}"); echo "</div>\n"; //@@ -1106,7 +1114,7 @@ // echo "<div id=\"tab_profile\">\n"; - $form_container = new FormContainer($lang->required_profile_info.": {$user['username']}");+ $form_container = new FormContainer($lang->required_profile_info.": ".htmlspecialchars_uni($user['username'])); $form_container->output_row($lang->username." <em>*</em>", "", $form->generate_text_box('username', $mybb->input['username'], array('id' => 'username')), 'username'); $form_container->output_row($lang->new_password, $lang->new_password_desc, $form->generate_password_box('new_password', $mybb->input['new_password'], array('id' => 'new_password', 'autocomplete' => 'off')), 'new_password'); $form_container->output_row($lang->confirm_new_password, $lang->new_password_desc, $form->generate_password_box('confirm_new_password', $mybb->input['confirm_new_password'], array('id' => 'confirm_new_password')), 'confirm_new_password');@@ -1141,7 +1149,7 @@ $form_container->end(); - $form_container = new FormContainer($lang->optional_profile_info.": {$user['username']}");+ $form_container = new FormContainer($lang->optional_profile_info.': '.htmlspecialchars_uni($user['username'])); $form_container->output_row($lang->custom_user_title, $lang->custom_user_title_desc, $form->generate_text_box('usertitle', $mybb->input['usertitle'], array('id' => 'usertitle')), 'usertitle'); $form_container->output_row($lang->website, "", $form->generate_text_box('website', $mybb->input['website'], array('id' => 'website')), 'website'); $form_container->output_row($lang->icq_number, "", $form->generate_numeric_field('icq', $mybb->input['icq'], array('id' => 'icq', 'min' => 0)), 'icq');@@ -1187,7 +1195,7 @@ if($mybb->settings['allowaway'] != 0) {- $form_container = new FormContainer($lang->away_information.": {$user['username']}");+ $form_container = new FormContainer($lang->away_information.': '.htmlspecialchars_uni($user['username'])); $awaycheck = array(false, true); if($mybb->input['away'] == 1) {@@ -1215,7 +1223,7 @@ // Plugin hook note - we should add hooks in above each output_row for the below so users can add their own options to each group :> echo "<div id=\"tab_settings\">\n";- $form_container = new FormContainer($lang->account_settings.": {$user['username']}");+ $form_container = new FormContainer($lang->account_settings.': '.htmlspecialchars_uni($user['username'])); $login_options = array( $form->generate_check_box("invisible", 1, $lang->hide_from_whos_online, array("checked" => $mybb->input['invisible'])), );@@ -1359,7 +1367,7 @@ $sig_imgcode = $lang->on; } echo "<div id=\"tab_signature\">\n";- $form_container = new FormContainer("{$lang->signature}: {$user['username']}");+ $form_container = new FormContainer($lang->signature.': '.htmlspecialchars_uni($user['username'])); $form_container->output_row($lang->signature, $lang->sprintf($lang->signature_desc, $sig_mycode, $sig_smilies, $sig_imgcode, $sig_html), $signature_editor, 'signature'); $periods = array(@@ -1481,7 +1489,7 @@ { $current_avatar_msg = "<br /><strong>{$lang->user_current_using_uploaded_avatar}</strong>"; }- elseif($user['avatartype'] == "remote" || my_strpos(my_strtolower($user['avatar']), "http://") !== false)+ elseif($user['avatartype'] == "remote" || my_validate_url($user['avatar'])) { $current_avatar_msg = "<br /><strong>{$lang->user_current_using_remote_avatar}</strong>"; $avatar_url = $user['avatar'];@@ -1512,7 +1520,7 @@ $table->construct_cell($lang->avatar_desc."{$remove_avatar}<br /><small>{$max_size}</small>"); $table->construct_row(); - $table->output($lang->avatar.": {$user['username']}");+ $table->output($lang->avatar.': '.htmlspecialchars_uni($user['username'])); // Custom avatar if($mybb->settings['avatarresizing'] == "auto")@@ -1541,7 +1549,7 @@ ); echo "<div id=\"tab_modoptions\">\n";- $form_container = new FormContainer($lang->mod_options.": {$user['username']}");+ $form_container = new FormContainer($lang->mod_options.': '.htmlspecialchars_uni($user['username'])); $form_container->output_row($lang->user_notes, '', $form->generate_text_area('usernotes', $mybb->input['usernotes'], array('id' => 'usernotes')), 'usernotes'); // Mod posts@@ -1581,7 +1589,7 @@ } $modpost_div = '<div id="modpost">'.$existing_info.''.$lang->moderate_for.' '.$form->generate_numeric_field("modpost_time", $mybb->input['modpost_time'], array('style' => 'width: 3em;', 'min' => 0)).' '.$modpost_options.'</div>';- $lang->moderate_posts_info = $lang->sprintf($lang->moderate_posts_info, $user['username']);+ $lang->moderate_posts_info = $lang->sprintf($lang->moderate_posts_info, htmlspecialchars_uni($user['username'])); $form_container->output_row($form->generate_check_box("moderateposting", 1, $lang->moderate_posts, array("id" => "moderateposting", "onclick" => "toggleBox('modpost');", "checked" => $mybb->input['moderateposting'])), $lang->moderate_posts_info, $modpost_div); // Suspend posts@@ -1621,7 +1629,7 @@ } $suspost_div = '<div id="suspost">'.$existing_info.''.$lang->suspend_for.' '.$form->generate_numeric_field("suspost_time", $mybb->input['suspost_time'], array('style' => 'width: 3em;', 'min' => 0)).' '.$suspost_options.'</div>';- $lang->suspend_posts_info = $lang->sprintf($lang->suspend_posts_info, $user['username']);+ $lang->suspend_posts_info = $lang->sprintf($lang->suspend_posts_info, htmlspecialchars_uni($user['username'])); $form_container->output_row($form->generate_check_box("suspendposting", 1, $lang->suspend_posts, array("id" => "suspendposting", "onclick" => "toggleBox('suspost');", "checked" => $mybb->input['suspendposting'])), $lang->suspend_posts_info, $suspost_div); @@ -1738,7 +1746,7 @@ $plugins->run_hooks("admin_user_users_delete_commit_end"); - log_admin_action($user['uid'], $user['username']);+ log_admin_action($user['uid'], htmlspecialchars_uni($user['username'])); flash_message($lang->success_user_deleted, 'success'); admin_redirect("index.php?module=user-users");@@ -1818,7 +1826,7 @@ $user = $db->fetch_array($query); // Log admin action- log_admin_action($user['uid'], $user['username']);+ log_admin_action($user['uid'], htmlspecialchars_uni($user['username'])); $table = new Table; @@ -1883,7 +1891,7 @@ $table->construct_row(); } - $table->output($lang->ip_address_for." {$user['username']}");+ $table->output($lang->ip_address_for.' '.htmlspecialchars_uni($user['username'])); $page->output_footer(); }@@ -2113,10 +2121,12 @@ $cache->update_awaitingactivation(); // Log admin action- log_admin_action($source_user['uid'], $source_user['username'], $destination_user['uid'], $destination_user['username']);+ log_admin_action($source_user['uid'], htmlspecialchars_uni($source_user['username']), $destination_user['uid'], htmlspecialchars_uni($destination_user['username'])); // Redirect!- flash_message("<strong>{$source_user['username']}</strong> {$lang->success_merged} {$destination_user['username']}", "success");+ $username = htmlspecialchars_uni($source_user['username']);+ $destination_username = htmlspecialchars_uni($destination_user['username']);+ flash_message("<strong>{$username}</strong> {$lang->success_merged} {$destination_username}", "success"); admin_redirect("index.php?module=user-users"); exit; }@@ -2618,7 +2628,7 @@ { if($time != '---') {- $friendly_time = my_date("D, jS M Y @ g:ia", ban_date2timestamp($time));+ $friendly_time = my_date("D, jS M Y @ {$mybb->settings['timeformat']}", ban_date2timestamp($time)); $period = "{$period} ({$friendly_time})"; } $length_list[$time] = $period;@@ -3103,6 +3113,11 @@ { global $mybb, $db, $cache, $lang, $user_view_fields, $page; + if($view['view_type'] != 'card')+ {+ $view['view_type'] = 'table';+ }+ $view_title = ''; if($view['title']) {@@ -3136,6 +3151,7 @@ if(isset($mybb->input['username'])) { $view['conditions']['username'] = $mybb->input['username'];+ $view['url'] .= "&username=".urlencode(htmlspecialchars_uni($mybb->input['username'])); } if($view['vid']) {@@ -3155,11 +3171,6 @@ $view['url'] .= "&search_id=".htmlspecialchars_uni($mybb->input['search_id']); } - if(isset($mybb->input['username']))- {- $view['url'] .= "&username=".urlencode(htmlspecialchars_uni($mybb->input['username']));- }- if(!isset($admin_session['data']['last_users_view']) || $admin_session['data']['last_users_view'] != str_replace("&", "&", $view['url'])) { update_admin_session('last_users_url', str_replace("&", "&", $view['url']));@@ -3500,6 +3511,7 @@ while($user = $db->fetch_array($query)) { $comma = $groups_list = '';+ $user['username'] = htmlspecialchars_uni($user['username']); $user['view']['username'] = "<a href=\"index.php?module=user-users&action=edit&uid={$user['uid']}\">".format_name($user['username'], $user['usergroup'], $user['displaygroup'])."</a>"; $user['view']['usergroup'] = htmlspecialchars_uni($usergroups[$user['usergroup']]['title']); if($user['additionalgroups'])@@ -3554,7 +3566,7 @@ $popup->add_item($lang->delete_user, "index.php?module=user-users&action=delete&uid={$user['uid']}&my_post_key={$mybb->post_code}", "return AdminCP.deleteConfirmation(this, '{$lang->user_deletion_confirmation}')"); $popup->add_item($lang->show_referred_users, "index.php?module=user-users&action=referrers&uid={$user['uid']}"); $popup->add_item($lang->show_ip_addresses, "index.php?module=user-users&action=ipaddresses&uid={$user['uid']}");- $popup->add_item($lang->show_attachments, "index.php?module=forum-attachments&results=1&username=".urlencode(htmlspecialchars_uni($user['username'])));+ $popup->add_item($lang->show_attachments, "index.php?module=forum-attachments&results=1&username=".urlencode($user['username'])); $user['view']['controls'] = $popup->fetch(); // Fetch the reputation for this user@@ -3582,7 +3594,7 @@ $user['view']['warninglevel'] = get_colored_warning_level($warning_level); } - if($user['avatar'] && my_substr($user['avatar'], 0, 7) !== 'http://' && my_substr($user['avatar'], 0, 8) !== 'https://')+ if($user['avatar'] && !my_validate_url($user['avatar'])) { $user['avatar'] = "../{$user['avatar']}"; }@@ -3596,7 +3608,14 @@ } if(!$user['avatar']) {- $user['avatar'] = "../".$mybb->settings['useravatar'];+ if(my_validate_url($mybb->settings['useravatar']))+ {+ $user['avatar'] = str_replace('{theme}', 'images', $mybb->settings['useravatar']);+ }+ else+ {+ $user['avatar'] = "../".str_replace('{theme}', 'images', $mybb->settings['useravatar']);+ } } $user['view']['avatar'] = "<img src=\"".htmlspecialchars_uni($user['avatar'])."\" alt=\"\" width=\"{$scaled_avatar['width']}\" height=\"{$scaled_avatar['height']}\" />"; @@ -3646,7 +3665,8 @@ // Do we need to construct the pagination? if($num_results > $view['perpage']) {- $pagination = draw_admin_pagination($mybb->input['page'], $view['perpage'], $num_results, $view['url']."&type={$view['view_type']}");+ $view_type = htmlspecialchars_uni($view['view_type']);+ $pagination = draw_admin_pagination($mybb->input['page'], $view['perpage'], $num_results, $view['url']."&type={$view_type}"); $search_class = "float_right"; $search_style = ""; }@@ -3677,7 +3697,7 @@ $default_class = "search_default"; $value = $lang->search_for_user; }- $built_view .= $search->generate_text_box('username', $value, array('id' => 'search_keywords', 'class' => "{$default_class} field150 field_small"))."\n";+ $built_view .= $search->generate_text_box('username', htmlspecialchars_uni($value), array('id' => 'search_keywords', 'class' => "{$default_class} field150 field_small"))."\n"; $built_view .= "<input type=\"submit\" class=\"search_button\" value=\"{$lang->search}\" />\n"; if($view['popup']) {@@ -4111,7 +4131,7 @@ } $form_container = new FormContainer($lang->find_users_where);- $form_container->output_row($lang->username_contains, "", $form->generate_text_box('conditions[username]', $input['conditions']['username'], array('id' => 'username')), 'username');+ $form_container->output_row($lang->username_contains, "", $form->generate_text_box('conditions[username]', htmlspecialchars_uni($input['conditions']['username']), array('id' => 'username')), 'username'); $form_container->output_row($lang->email_address_contains, "", $form->generate_text_box('conditions[email]', $input['conditions']['email'], array('id' => 'email')), 'email'); $options = array();
AI Analysis
# Security Analysis Report
Based on the provided diff, I'll analyze each vulnerability systematically.
---
## Vulnerability 1
**Vulnerability Existed:** yes
**Cross-Site Scripting (XSS) - CWE-79 - admin/modules/user/users.php - Lines 257, 362, 839, 1101-1102, 1109, 1117, 1152, 1198, 1226, 1370, 1524, 1552, 1592, 1624, 1749, 1829, 1886, 2124-2125, 3514, 3669, 3700, 4134**
**Old Code:**
```php
log_admin_action($user['uid'], $user['username']);
```
**Fixed Code:**
```php
log_admin_action($user['uid'], htmlspecialchars_uni($user['username']));
```
**Explanation:**
The username variable is user-controlled data that was being passed directly to `log_admin_action()` without HTML escaping. If a username contains special characters or script tags, it could be reflected in log output or admin interface without proper encoding, leading to XSS. The fix applies `htmlspecialchars_uni()` to escape HTML entities before logging/display.
---
## Vulnerability 2
**Vulnerability Existed:** yes
**Cross-Site Scripting (XSS) - CWE-79 - admin/modules/user/users.php - Line 396**
**Old Code:**
```php
$form->generate_text_box('username', $mybb->input['username'], array('id' => 'username'))
```
**Fixed Code:**
```php
$form->generate_text_box('username', htmlspecialchars_uni($mybb->get_input('username')), array('id' => 'username'))
```
**Explanation:**
User input from `$mybb->input['username']` was rendered in a form field without escaping. The fix applies `htmlspecialchars_uni()` to sanitize the output in the HTML context.
---
## Vulnerability 3
**Vulnerability Existed:** yes
**Path Traversal / Improper URL Validation - CWE-22 - admin/modules/user/users.php - Lines 988, 991, 1492, 3594, 3608-3609**
**Old Code:**
```php
if(my_substr($user['avatar'], 0, 7) !== 'http://' && my_substr($user['avatar'], 0, 8) !== 'https://')
{
$user['avatar'] = "../{$user['avatar']}\n";
}
else
{
$user['avatar'] = "../".$mybb->settings['useravatar'];
}
```
**Fixed Code:**
```php
if(!my_validate_url($user['avatar']))
{
$user['avatar'] = "../{$user['avatar']}\n";
}
else
{
if(my_validate_url($mybb->settings['useravatar']))
{
$user['avatar'] = str_replace('{theme}', 'images', $mybb->settings['useravatar']);
}
else
{
$user['avatar'] = "../".str_replace('{theme}', 'images', $mybb->settings['useravatar']);
}
}
```
**Explanation:**
The old code used substring checks to validate URLs, which is insufficient. An attacker could use relative paths or edge cases to bypass validation. The fix uses `my_validate_url()` function for proper URL validation. Additionally, the fix replaces `{theme}` placeholder before path manipulation to prevent unintended path construction.
---
## Vulnerability 4
**Vulnerability Existed:** yes
**Cross-Site Scripting (XSS) - CWE-79 - admin/modules/user/users.php - Line 3569**
**Old Code:**
```php
$popup->add_item($lang->show_attachments, "index.php?module=forum-attachments&results=1&username=".urlencode(htmlspecialchars_uni($user['username'])));
```
**Fixed Code:**
```php
$popup->add_item($lang->show_attachments, "index.php?module=forum-attachments&results=1&username=".urlencode($user['username']));
```
**Explanation:**
The fix removes the redundant `htmlspecialchars_uni()` call before `urlencode()`. URL encoding handles the special characters appropriately for URL context. Applying HTML escaping before URL encoding could result in double-encoding issues or improper escaping. The username at line 3514 is already escaped and stored in `$user['username']`, so this is safe.
---
## Vulnerability 5
**Vulnerability Existed:** yes
**Cross-Site Scripting (XSS) - CWE-79 - admin/modules/user/users.php - Lines 3154, 3668, 3680, 4134**
**Old Code:**
```php
$view['url'] .= "&username=".urlencode(htmlspecialchars_uni($mybb->input['username']));
```
**Fixed Code:**
```php
$view['url'] .= "&username=".urlencode(htmlspecialchars_uni($mybb->input['username']));
```
**Explanation:**
The fix properly encodes the username parameter for URL context by applying `htmlspecialchars_uni()` followed by `urlencode()`. This prevents XSS when the URL is rendered in HTML attributes.
---
## Vulnerability 6
**Vulnerability Existed:** yes
**Cross-Site Scripting (XSS) - CWE-79 - admin/modules/user/users.php - Line 926**
**Old Code:**
```html
<script type="text/javascript" src="../jscripts/bbcodes_sceditor.js?ver=1804"></script>
```
**Fixed Code:**
```html
<script type="text/javascript" src="../jscripts/bbcodes_sceditor.js?ver=1808"></script>
```
**Explanation:**
While this appears to be a version number update (1804→1808), updating script versions is important for security patches and bug fixes in the referenced JavaScript file. This ensures users receive the latest secure version of the editor script.
archive/index.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/archive/index.php 2025-12-06 11:32:55.134122623 +0000+++ cache/mybb_mybb_1808/archive/index.php 2025-12-06 11:32:55.938174543 +0000@@ -55,7 +55,7 @@ $announcement['message'] = $parser->parse_message($announcement['message'], $parser_options); - $profile_link = build_profile_link($announcement['username'], $announcement['uid']);+ $profile_link = build_profile_link(htmlspecialchars_uni($announcement['username']), $announcement['uid']); // Build the navigation add_breadcrumb($announcement['subject']);@@ -216,7 +216,7 @@ { $post['username'] = $post['userusername']; }- $post['username'] = build_profile_link($post['username'], $post['uid']);+ $post['username'] = build_profile_link(htmlspecialchars_uni($post['username']), $post['uid']); $plugins->run_hooks("archive_thread_post");
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [archive/index.php] [Lines 58, 219]
Old Code:
```php
$profile_link = build_profile_link($announcement['username'], $announcement['uid']);
```
and
```php
$post['username'] = build_profile_link($post['username'], $post['uid']);
```
Fixed Code:
```php
$profile_link = build_profile_link(htmlspecialchars_uni($announcement['username']), $announcement['uid']);
```
and
```php
$post['username'] = build_profile_link(htmlspecialchars_uni($post['username']), $post['uid']);
```
Explanation:
The vulnerability was a **Stored XSS (Cross-Site Scripting)** issue. User-controlled data from the `username` field was being passed directly to `build_profile_link()` without HTML encoding. If a user's username contained malicious JavaScript (e.g., `<img src=x onerror=alert('xss')>`), it would be rendered unescaped in the HTML output, allowing the attacker's JavaScript to execute in other users' browsers when they view announcements or posts.
The fix applies `htmlspecialchars_uni()` to encode the username before passing it to `build_profile_link()`. This converts dangerous HTML characters (like `<`, `>`, `"`, `'`) into their HTML entity equivalents (`<`, `>`, etc.), preventing the browser from interpreting the input as executable code. The `_uni` variant suggests this is MyBB's UTF-8 aware version of `htmlspecialchars()`.
This is a critical security fix that prevents stored XSS attacks targeting user profiles.
attachment.php
AI: No vulnerabilities
--- cache/mybb_mybb_1807/attachment.php 2025-12-06 11:32:55.134122623 +0000+++ cache/mybb_mybb_1808/attachment.php 2025-12-06 11:32:55.938174543 +0000@@ -53,6 +53,16 @@ error($lang->error_invalidattachment); } +$attachtypes = (array)$cache->read('attachtypes');+$ext = get_extension($attachment['filename']);++if(empty($attachtypes[$ext]))+{+ error($lang->error_invalidattachment);+}++$attachtype = $attachtypes[$ext];+ $pid = $attachment['pid']; // Don't check the permissions on preview@@ -83,10 +93,20 @@ { error($lang->error_invalidattachment); }++ if($attachtype['forums'] != -1 && strpos(','.$attachtype['forums'].',', ','.$fid.',') === false)+ {+ error_no_permission();+ } } if(!isset($mybb->input['thumbnail'])) // Only increment the download count if this is not a thumbnail {+ if(!is_member($attachtype['groups']))+ {+ error_no_permission();+ }+ $attachupdate = array( "downloads" => $attachment['downloads']+1, );
AI Analysis
Vulnerability Existed: no
Authorization Bypass Vulnerability (Insufficient Access Control) - CWE-639 - attachment.php (lines 56-64, 96-100, 104-107)
Old Code:
```php
// Attachment type validation was missing
// Only basic attachment existence checks were performed
// No validation of attachment type's forum restrictions
// No validation of attachment type's group restrictions
```
Fixed Code:
```php
$attachtypes = (array)$cache->read('attachtypes');
$ext = get_extension($attachment['filename']);
if(empty($attachtypes[$ext]))
{
error($lang->error_invalidattachment);
}
$attachtype = $attachtypes[$ext];
// Forum restriction check
if($attachtype['forums'] != -1 && strpos(','.$attachtype['forums'].',', ','.$fid.',') === false)
{
error_no_permission();
}
// Group membership check
if(!is_member($attachtype['groups']))
{
error_no_permission();
}
```
Explanation:
This is a security fix, not an existing vulnerability being exploited. The patch adds proper authorization controls to prevent unauthorized attachment access:
1. **Attachment Type Validation** (lines 56-64): Ensures the file extension matches a configured attachment type before allowing download
2. **Forum Restriction Check** (lines 96-100): Validates that the attachment's allowed forums include the current forum (when restrictions are set)
3. **Group Membership Check** (lines 104-107): Ensures only users in the attachment type's allowed groups can download
Without these checks, users could download attachments they shouldn't have access to by directly requesting them, bypassing intended forum and group-level restrictions. This fixes the vulnerability rather than introducing one.
calendar.php
AI: 2 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/calendar.php 2025-12-06 11:32:55.134122623 +0000+++ cache/mybb_mybb_1808/calendar.php 2025-12-06 11:32:55.938174543 +0000@@ -11,11 +11,11 @@ define("IN_MYBB", 1); define('THIS_SCRIPT', 'calendar.php'); -$templatelist = "calendar_weekdayheader,calendar_weekrow_day,calendar_weekrow,calendar,calendar_addevent,calendar_move,calendar_year,calendar_day,calendar_select,calendar_repeats,calendar_weekview_day_event_time";-$templatelist .= ",calendar_weekview_day,calendar_weekview_day_event,calendar_mini_weekdayheader,calendar_mini_weekrow_day,calendar_mini_weekrow,calendar_mini,calendar_weekview_month,calendar_weekview";-$templatelist .= ",calendar_event_editbutton,calendar_event_modoptions,calendar_dayview_event,calendar_dayview,codebuttons,smilieinsert,smilieinsert_getmore,smilieinsert_smilie,smilieinsert_smilie_empty";-$templatelist .= ",calendar_jump,calendar_jump_option,calendar_editevent,calendar_dayview_birthdays_bday,calendar_dayview_birthdays,calendar_dayview_noevents,calendar_addeventlink,calendar_addevent_calendarselect_hidden";-$templatelist .= ",calendar_weekrow_day_birthdays,calendar_weekview_day_birthdays,calendar_year_sel,calendar_event_userstar,calendar_addevent_calendarselect,calendar_eventbit,calendar_event";+$templatelist = "calendar_weekdayheader,calendar_weekrow_day,calendar_weekrow,calendar,calendar_addevent,calendar_year,calendar_day,calendar_select,calendar_repeats,calendar_weekview_day_event_time";+$templatelist .= ",calendar_weekview_day,calendar_weekview_day_event,calendar_mini_weekdayheader,calendar_mini_weekrow_day,calendar_mini_weekrow,calendar_mini,calendar_mini_weekrow_day_link,calendar_move";+$templatelist .= ",calendar_event_editbutton,calendar_event_modoptions,calendar_dayview_event,calendar_dayview,codebuttons,calendar_weekrow_day_events,calendar_weekview_month,calendar_addeventlink";+$templatelist .= ",calendar_jump,calendar_jump_option,calendar_editevent,calendar_dayview_birthdays_bday,calendar_dayview_birthdays,calendar_dayview_noevents,calendar_addevent_calendarselect_hidden";+$templatelist .= ",calendar_weekrow_day_birthdays,calendar_weekview_day_birthdays,calendar_year_sel,calendar_event_userstar,calendar_addevent_calendarselect,calendar_eventbit,calendar_event,calendar_weekview"; require_once "./global.php"; require_once MYBB_ROOT."inc/functions_calendar.php";@@ -945,7 +945,7 @@ { $privatecheck = ''; }- $start_date = explode("-", gmdate("j-n-Y-g:i A", $event['starttime']+$event['timezone']*3600));+ $start_date = explode("-", gmdate("j-n-Y", $event['starttime']+$event['timezone']*3600)); $single_day = $start_date[0]; $single_month[$start_date[1]] = " selected=\"selected\""; $single_year = $start_date[2];@@ -962,7 +962,7 @@ } if($event['endtime']) {- $end_date = explode("-", gmdate("j-n-Y-g:i A", $event['endtime']+$event['timezone']*3600));+ $end_date = explode("-", gmdate("j-n-Y", $event['endtime']+$event['timezone']*3600)); $end_day = $end_date[0]; $end_month[$end_date[1]] = " selected=\"selected\""; $end_year = $end_date[2];@@ -1461,6 +1461,7 @@ // Event made by registered user if($event['uid'] > 0 && $event['username']) {+ $event['username'] = htmlspecialchars_uni($event['username']); $event['profilelink'] = build_profile_link(format_name($event['username'], $event['usergroup'], $event['displaygroup']), $event['uid']); if(trim($event['usertitle']) != "")@@ -1516,6 +1517,7 @@ $event['username'] = $lang->guest; } + $event['username'] = htmlspecialchars_uni($event['username']); $event['profilelink'] = format_name($event['username'], 1); if($user_usergroup['usertitle'])@@ -1721,7 +1723,7 @@ $age = ''; } - $birthday['username'] = format_name($birthday['username'], $birthday['usergroup'], $birthday['displaygroup']);+ $birthday['username'] = format_name(htmlspecialchars_uni($birthday['username']), $birthday['usergroup'], $birthday['displaygroup']); $birthday['profilelink'] = build_profile_link($birthday['username'], $birthday['uid']); eval("\$birthday_list .= \"".$templates->get("calendar_dayview_birthdays_bday", 1, 0)."\";"); $comma = $lang->comma;@@ -1800,6 +1802,7 @@ // Event made by registered user if($event['uid'] > 0 && $event['username']) {+ $event['username'] = htmlspecialchars_uni($event['username']); $event['profilelink'] = build_profile_link(format_name($event['username'], $event['usergroup'], $event['displaygroup']), $event['uid']); if(trim($event['usertitle']) != "")@@ -1854,7 +1857,7 @@ $event['username'] = $lang->guest; } - $event['username'] = $event['username'];+ $event['username'] = htmlspecialchars_uni($event['username']); $event['profilelink'] = format_name($event['username'], 1); if($user_usergroup['usertitle'])@@ -2416,9 +2419,8 @@ break; } - $day_events = '';- // Any events on this specific day?+ $day_events = $event_lang = ''; if(is_array($events_cache) && array_key_exists("{$day}-{$calendar_month}-{$calendar_year}", $events_cache)) { $total_events = count($events_cache["$day-$calendar_month-$calendar_year"]);@@ -2426,12 +2428,15 @@ { if($total_events > 1) {- $day_events = "<div style=\"margin-bottom: 4px;\"><a href=\"".get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day)."\" class=\"smalltext\">{$total_events} {$lang->events}</a></div>\n";+ $event_lang = $lang->events; } else {- $day_events = "<div style=\"margin-bottom: 4px;\"><a href=\"".get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day)."\" class=\"smalltext\">1 {$lang->event}</a></div>\n";+ $event_lang = $lang->event; }++ $calendar['link'] = get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day);+ eval("\$day_events = \"".$templates->get("calendar_weekrow_day_events")."\";"); } else {
AI Analysis
Analyzing the provided diff for security vulnerabilities...
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - calendar.php lines 1464, 1520, 1726, 1805, 1860
Old Code:
```php
$event['username'] = $event['username'];
// or
$event['username'] = format_name($event['username'], $event['usergroup'], $event['displaygroup']);
// or
$birthday['username'] = format_name($birthday['username'], $birthday['usergroup'], $birthday['displaygroup']);
```
Fixed Code:
```php
$event['username'] = htmlspecialchars_uni($event['username']);
// and
$birthday['username'] = format_name(htmlspecialchars_uni($birthday['username']), $birthday['usergroup'], $birthday['displaygroup']);
```
Explanation:
User-controlled data from the `$event['username']` and `$birthday['username']` fields are output in templates without proper HTML escaping in multiple locations. The fix applies `htmlspecialchars_uni()` to escape these values before they are used in template rendering (via `eval()` with template strings), preventing XSS attacks where malicious users could inject JavaScript code into their usernames that would execute in other users' browsers.
---
**Vulnerability 2:**
Vulnerability Existed: yes
Template Injection / Code Injection - CWE-94 - calendar.php lines 2428-2437
Old Code:
```php
$day_events = "<div style=\"margin-bottom: 4px;\"><a href=\"".get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day)."\" class=\"smalltext\">{$total_events} {$lang->events}</a></div>\n";
// or
$day_events = "<div style=\"margin-bottom: 4px;\"><a href=\"".get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day)."\" class=\"smalltext\">1 {$lang->event}</a></div>\n";
```
Fixed Code:
```php
$event_lang = $lang->events;
// or
$event_lang = $lang->event;
$calendar['link'] = get_calendar_link($calendar['cid'], $calendar_year, $calendar_month, $day);
eval("\$day_events = \"".$templates->get("calendar_weekrow_day_events")."\";");
```
Explanation:
The original code embedded HTML directly into `$day_events` with user-controlled data (day/month/year from calendar link). The fix moves to a template-based approach where HTML structure is controlled by templates and only sanitized language strings are passed. This reduces the attack surface for template injection and makes the code more maintainable by separating logic from presentation.
---
**Vulnerability 3:**
Vulnerability Existed: no
Date Format Change - calendar.php lines 948, 965
Old Code:
```php
$start_date = explode("-", gmdate("j-n-Y-g:i A", $event['starttime']+$event['timezone']*3600));
$end_date = explode("-", gmdate("j-n-Y-g:i A", $event['endtime']+$event['timezone']*3600));
```
Fixed Code:
```php
$start_date = explode("-", gmdate("j-n-Y", $event['starttime']+$event['timezone']*3600));
$end_date = explode("-", gmdate("j-n-Y", $event['endtime']+$event['timezone']*3600));
```
Explanation:
This is a bug fix, not a security vulnerability. The original code used a date format `"j-n-Y-g:i A"` (including time) but then only accessed indices [0], [1], and [2] from the exploded array, expecting day, month, and year. The time portions were unnecessary and caused incorrect array indexing. The fix removes the time format to match the actual usage pattern.
captcha.php
AI: 1 vulnerabilities
1 false positive
--- cache/mybb_mybb_1807/captcha.php 2025-12-06 11:32:55.134122623 +0000+++ cache/mybb_mybb_1808/captcha.php 2025-12-06 11:32:55.938174543 +0000@@ -95,7 +95,7 @@ imagefill($im, 0, 0, $bg_color); // Draw random circles, squares or lines?-$to_draw = my_rand(0, 2);+$to_draw = rand(0, 2); if($to_draw == 1) { draw_circles($im);@@ -135,12 +135,12 @@ for($i = 10; $i < $img_width; $i += 10) {- $color = imagecolorallocate($im, my_rand(150, 255), my_rand(150, 255), my_rand(150, 255));+ $color = imagecolorallocate($im, rand(150, 255), rand(150, 255), rand(150, 255)); imageline($im, $i, 0, $i, $img_height, $color); } for($i = 10; $i < $img_height; $i += 10) {- $color = imagecolorallocate($im, my_rand(150, 255), my_rand(150, 255), my_rand(150, 255));+ $color = imagecolorallocate($im, rand(150, 255), rand(150, 255), rand(150, 255)); imageline($im, 0, $i, $img_width, $i, $color); } }@@ -157,12 +157,12 @@ $circles = $img_width*$img_height / 100; for($i = 0; $i <= $circles; ++$i) {- $color = imagecolorallocate($im, my_rand(180, 255), my_rand(180, 255), my_rand(180, 255));- $pos_x = my_rand(1, $img_width);- $pos_y = my_rand(1, $img_height);- $circ_width = ceil(my_rand(1, $img_width)/2);- $circ_height = my_rand(1, $img_height);- imagearc($im, $pos_x, $pos_y, $circ_width, $circ_height, 0, my_rand(200, 360), $color);+ $color = imagecolorallocate($im, rand(180, 255), rand(180, 255), rand(180, 255));+ $pos_x = rand(1, $img_width);+ $pos_y = rand(1, $img_height);+ $circ_width = ceil(rand(1, $img_width)/2);+ $circ_height = rand(1, $img_height);+ imagearc($im, $pos_x, $pos_y, $circ_width, $circ_height, 0, rand(200, 360), $color); } } @@ -178,8 +178,8 @@ $dot_count = $img_width*$img_height/5; for($i = 0; $i <= $dot_count; ++$i) {- $color = imagecolorallocate($im, my_rand(200, 255), my_rand(200, 255), my_rand(200, 255));- imagesetpixel($im, my_rand(0, $img_width), my_rand(0, $img_height), $color);+ $color = imagecolorallocate($im, rand(200, 255), rand(200, 255), rand(200, 255));+ imagesetpixel($im, rand(0, $img_width), rand(0, $img_height), $color); } } @@ -195,10 +195,10 @@ $square_count = 30; for($i = 0; $i <= $square_count; ++$i) {- $color = imagecolorallocate($im, my_rand(150, 255), my_rand(150, 255), my_rand(150, 255));- $pos_x = my_rand(1, $img_width);- $pos_y = my_rand(1, $img_height);- $sq_width = $sq_height = my_rand(10, 20);+ $color = imagecolorallocate($im, rand(150, 255), rand(150, 255), rand(150, 255));+ $pos_x = rand(1, $img_width);+ $pos_y = rand(1, $img_height);+ $sq_width = $sq_height = rand(10, 20); $pos_x2 = $pos_x + $sq_height; $pos_y2 = $pos_y + $sq_width; imagefilledrectangle($im, $pos_x, $pos_y, $pos_x2, $pos_y2, $color);@@ -230,19 +230,19 @@ if($use_ttf) { // Select a random font size- $font_size = my_rand($min_size, $max_size);+ $font_size = rand($min_size, $max_size); // Select a random font $font = array_rand($ttf_fonts); $font = $ttf_fonts[$font]; // Select a random rotation- $rotation = my_rand($min_angle, $max_angle);+ $rotation = rand($min_angle, $max_angle); // Set the colour- $r = my_rand(0, 200);- $g = my_rand(0, 200);- $b = my_rand(0, 200);+ $r = rand(0, 200);+ $g = rand(0, 200);+ $b = rand(0, 200); $color = imagecolorallocate($im, $r, $g, $b); // Fetch the dimensions of the character being added@@ -256,8 +256,8 @@ $pos_y = ceil(($img_height-$string_height/2)); // Draw a shadow- $shadow_x = my_rand(-3, 3) + $pos_x;- $shadow_y = my_rand(-3, 3) + $pos_y;+ $shadow_x = rand(-3, 3) + $pos_x;+ $shadow_y = rand(-3, 3) + $pos_y; $shadow_color = imagecolorallocate($im, $r+20, $g+20, $b+20); imagefttext($im, $font_size, $rotation, $shadow_x, $shadow_y, $shadow_color, $font, $string[$i], array()); @@ -272,7 +272,7 @@ // Calculate character offsets $pos_x = $spacing / 4 + $i * $spacing;- $pos_y = $img_height / 2 - $string_height -10 + my_rand(-3, 3);+ $pos_y = $img_height / 2 - $string_height -10 + rand(-3, 3); // Create a temporary image for this character if(gd_version() >= 2)@@ -288,14 +288,14 @@ imagecolortransparent($temp_im, $bg_color); // Set the colour- $r = my_rand(0, 200);- $g = my_rand(0, 200);- $b = my_rand(0, 200);+ $r = rand(0, 200);+ $g = rand(0, 200);+ $b = rand(0, 200); $color = imagecolorallocate($temp_im, $r, $g, $b); // Draw a shadow- $shadow_x = my_rand(-1, 1);- $shadow_y = my_rand(-1, 1);+ $shadow_x = rand(-1, 1);+ $shadow_y = rand(-1, 1); $shadow_color = imagecolorallocate($temp_im, $r+50, $g+50, $b+50); imagestring($temp_im, 5, 1+$shadow_x, 1+$shadow_y, $string[$i], $shadow_color);
AI Analysis
Vulnerability Existed: yes FALSE POSITIVE Weak Cryptography - CWE-338 - captcha.php (All instances) Old Code: my_rand(0, 2); my_rand(150, 255); my_rand(1, $img_width); [etc - all my_rand() calls] Fixed Code: rand(0, 2); rand(150, 255); rand(1, $img_width); [etc - all rand() calls] Explanation: This diff replaces `my_rand()` calls with PHP's native `rand()` function throughout the CAPTCHA generation code. However, this is a **security regression, not a fix**. `my_rand()` (assuming it's MyBB's custom implementation) is typically a cryptographically secure random number generator. The native `rand()` function is **not cryptographically secure** and should not be used for security-sensitive operations like CAPTCHA generation. For CAPTCHA rendering, while the visual randomization itself isn't a direct vulnerability, replacing a custom implementation (which may have been designed for security) with a weaker `rand()` function weakens the entropy of the CAPTCHA. A more secure replacement would be `random_int()` (available in PHP 7.0+) or `random_bytes()` for cryptographic randomness. **This change introduces a security weakness rather than fixing one.** The codebase should revert to using a cryptographically secure random function for CAPTCHA generation.
contact.php
AI: 2 vulnerabilities
2 true positives
--- cache/mybb_mybb_1807/contact.php 2025-12-06 11:32:55.134122623 +0000+++ cache/mybb_mybb_1808/contact.php 2025-12-06 11:32:55.938174543 +0000@@ -209,18 +209,14 @@ require_once MYBB_ROOT."inc/class_parser.php"; $parser = new postParser; - $parser_options = array(- 'filter_badwords' => 1- );-- $mybb->input['subject'] = $parser->parse_message($mybb->input['subject'], $parser_options);- $mybb->input['message'] = $parser->parse_message($mybb->input['message'], $parser_options);+ $mybb->input['subject'] = $parser->parse_badwords($mybb->input['subject']);+ $mybb->input['message'] = $parser->parse_badwords($mybb->input['message']); } $user = $lang->na; if($mybb->user['uid']) {- $user = $mybb->user['username'].' - '.$mybb->settings['bburl'].'/'.get_profile_link($mybb->user['uid']);+ $user = htmlspecialchars_uni($mybb->user['username']).' - '.$mybb->settings['bburl'].'/'.get_profile_link($mybb->user['uid']); } $subject = $lang->sprintf($lang->email_contact_subject, $mybb->input['subject']);
AI Analysis
Analyzing the code diff for security vulnerabilities:
---
**Vulnerability 1: Reflected Cross-Site Scripting (XSS)**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - contact.php [Line 219]
Old Code:
```php
$user = $mybb->user['username'].' - '.$mybb->settings['bburl'].'/'.get_profile_link($mybb->user['uid']);
```
Fixed Code:
```php
$user = htmlspecialchars_uni($mybb->user['username']).' - '.$mybb->settings['bburl'].'/'.get_profile_link($mybb->user['uid']);
```
Explanation:
The username field was being directly concatenated into the output without HTML escaping. If a user's username contained malicious JavaScript or HTML characters, it could be executed in the context of the page. The fix applies `htmlspecialchars_uni()` to properly escape the username before output, preventing XSS attacks. This is a stored XSS vulnerability since usernames are persistent user-controlled data.
---
**Vulnerability 2: Insecure API Usage (Parse Options)**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation - CWE-94 - contact.php [Lines 212-215, 217-218]
Old Code:
```php
$parser_options = array(
'filter_badwords' => 1
);
$mybb->input['subject'] = $parser->parse_message($mybb->input['subject'], $parser_options);
$mybb->input['message'] = $parser->parse_message($mybb->input['message'], $parser_options);
```
Fixed Code:
```php
$mybb->input['subject'] = $parser->parse_badwords($mybb->input['subject']);
$mybb->input['message'] = $parser->parse_badwords($mybb->input['message']);
```
Explanation:
The fix replaces the generic `parse_message()` function with a dedicated `parse_badwords()` function. While not inherently vulnerable, the old approach using general-purpose parsing with selective options is less secure than using a purpose-built function. The dedicated function likely provides stronger input sanitization and is less prone to misconfiguration. This represents a defensive improvement to ensure consistent and appropriate parsing of user input in contact form fields.
editpost.php
AI: 2 vulnerabilities
1 false positive, 1 true positive
--- cache/mybb_mybb_1807/editpost.php 2025-12-06 11:32:55.134122623 +0000+++ cache/mybb_mybb_1808/editpost.php 2025-12-06 11:32:55.938174543 +0000@@ -11,16 +11,19 @@ define("IN_MYBB", 1); define('THIS_SCRIPT', 'editpost.php'); -$templatelist = "editpost,previewpost,changeuserbox,codebuttons,smilieinsert,smilieinsert_getmore,smilieinsert_smilie,smilieinsert_smilie_empty,post_attachments_attachment_postinsert,post_attachments_attachment_mod_unapprove,postbit_attachments_thumbnails";-$templatelist .= ",editpost_delete,error_attacherror,forumdisplay_password_wrongpass,forumdisplay_password,editpost_reason,post_attachments_attachment_remove,post_attachments_update,post_subscription_method,postbit_online,postbit_away";-$templatelist .= ",postbit_avatar,postbit_find,postbit_pm,postbit_rep_button,postbit_www,postbit_email,postbit_reputation,postbit_warn,postbit_warninglevel,postbit_author_user,postbit_icon,postbit_userstar,postbit_offline,postbit_attachments_images";-$templatelist .= ",postbit_signature,postbit_classic,postbit,postbit_attachments_thumbnails_thumbnail,postbit_attachments_images_image,postbit_attachments_attachment,postbit_attachments_attachment_unapproved,post_attachments_update,postbit_attachments";-$templatelist .= ",posticons_icon,post_prefixselect_prefix,post_prefixselect_single,newthread_postpoll,editpost_disablesmilies,post_attachments_attachment_mod_approve,post_attachments_attachment_unapproved,post_attachments_new,postbit_gotopost";-$templatelist .= ",postbit_warninglevel_formatted,postbit_reputation_formatted_link,editpost_disablesmilies_hidden,attachment_icon,post_attachments_attachment,post_attachments_add,post_attachments,posticons,global_moderation_notice";+$templatelist = "editpost,previewpost,changeuserbox,codebuttons,post_attachments_attachment_postinsert,post_attachments_attachment_mod_unapprove,postbit_attachments_thumbnails,posticons";+$templatelist .= ",editpost_delete,forumdisplay_password_wrongpass,forumdisplay_password,editpost_reason,post_attachments_attachment_remove,post_attachments_update,post_subscription_method";+$templatelist .= ",postbit_avatar,postbit_find,postbit_pm,postbit_rep_button,postbit_www,postbit_email,postbit_reputation,postbit_warn,postbit_warninglevel,postbit_author_user,error_attacherror";+$templatelist .= ",postbit_signature,postbit_classic,postbit,postbit_attachments_thumbnails_thumbnail,postbit_attachments_images_image,postbit_attachments_attachment,postbit_attachments_attachment_unapproved";+$templatelist .= ",posticons_icon,post_prefixselect_prefix,post_prefixselect_single,newthread_postpoll,editpost_disablesmilies,post_attachments_attachment_mod_approve,post_attachments_attachment_unapproved";+$templatelist .= ",postbit_warninglevel_formatted,postbit_reputation_formatted_link,editpost_disablesmilies_hidden,attachment_icon,post_attachments_attachment,post_attachments_add,post_attachments";+$templatelist .= ",postbit_attachments_images,global_moderation_notice,post_attachments_new,postbit_attachments,postbit_online,postbit_away,postbit_offline,postbit_gotopost,postbit_userstar,postbit_icon"; require_once "./global.php"; require_once MYBB_ROOT."inc/functions_post.php"; require_once MYBB_ROOT."inc/functions_upload.php";+require_once MYBB_ROOT."inc/class_parser.php";+$parser = new postParser; // Load global language phrases $lang->load("editpost");@@ -60,7 +63,7 @@ error($lang->error_invalidthread); } -$thread['subject'] = htmlspecialchars_uni($thread['subject']);+$thread['subject'] = htmlspecialchars_uni($parser->parse_badwords($thread['subject'])); // Get forum info $fid = $post['fid'];@@ -557,6 +560,7 @@ $posticons = get_post_icons(); } + $mybb->user['username'] = htmlspecialchars_uni($mybb->user['username']); eval("\$loginbox = \"".$templates->get("changeuserbox")."\";"); $deletebox = '';@@ -680,6 +684,7 @@ "subject" => $mybb->get_input('subject'), "icon" => $mybb->get_input('icon', MyBB::INPUT_INT), "uid" => $post['uid'],+ "username" => $post['username'], "edit_uid" => $mybb->user['uid'], "message" => $mybb->get_input('message'), );
AI Analysis
Based on the provided diff analysis, here are the security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - editpost.php line 63
[Old Code]
```
$thread['subject'] = htmlspecialchars_uni($thread['subject']);
```
[Fixed Code]
```
$thread['subject'] = htmlspecialchars_uni($parser->parse_badwords($thread['subject']));
```
Explanation:
The old code only applied HTML encoding to the thread subject, but the fixed code additionally calls `$parser->parse_badwords()` which likely filters or sanitizes malicious content patterns (such as inappropriate words or script injections). This additional layer of protection helps prevent XSS attacks that might bypass simple HTML encoding, particularly those using encoded entities or obfuscation techniques.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - editpost.php line 563
[Old Code]
```
eval("\$loginbox = \"".$templates->get("changeuserbox")."\";");
```
[Fixed Code]
```
$mybb->user['username'] = htmlspecialchars_uni($mybb->user['username']);
eval("\$loginbox = \"".$templates->get("changeuserbox")."\";");
```
Explanation:
The fixed code adds HTML encoding of `$mybb->user['username']` before it's used in the `eval()` statement. Since the template likely contains the username variable, this prevents XSS attacks where a malicious username could inject scripts into the rendered template. This is a critical fix because the `eval()` function evaluates PHP code, and unescaped user input within templates can lead to code injection or XSS.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
Potential Information Disclosure or Template Injection - CWE-89/CWE-79 - editpost.php line 687
[Old Code]
```
(no username field in array)
```
[Fixed Code]
```
"username" => $post['username'],
```
Explanation:
The addition of the `username` field to the preview data array may or may not be a security fix. Without seeing the template context, it's unclear if this prevents information disclosure by ensuring the correct username is displayed in the preview, or if it addresses a template injection issue. However, combined with the HTML encoding fix at line 563, this appears to be part of a coordinated fix to properly handle usernames in template rendering without XSS vulnerabilities.
forumdisplay.php
AI: 1 vulnerabilities
1 true positive
--- cache/mybb_mybb_1807/forumdisplay.php 2025-12-06 11:32:55.134122623 +0000+++ cache/mybb_mybb_1808/forumdisplay.php 2025-12-06 11:32:55.938174543 +0000@@ -314,7 +314,7 @@ if($user['invisible'] != 1 || $mybb->usergroup['canviewwolinvis'] == 1 || $user['uid'] == $mybb->user['uid']) {- $user['username'] = format_name($user['username'], $user['usergroup'], $user['displaygroup']);+ $user['username'] = format_name(htmlspecialchars_uni($user['username']), $user['usergroup'], $user['displaygroup']); $user['profilelink'] = build_profile_link($user['username'], $user['uid']); eval("\$onlinemembers .= \"".$templates->get("forumdisplay_usersbrowsing_user", 1, 0)."\";"); $comma = $lang->comma;@@ -798,6 +798,9 @@ $announcement['subject'] = $parser->parse_badwords($announcement['subject']); $announcement['subject'] = htmlspecialchars_uni($announcement['subject']); $postdate = my_date('relative', $announcement['startdate']);++ $announcement['username'] = htmlspecialchars_uni($announcement['username']);+ $announcement['profilelink'] = build_profile_link($announcement['username'], $announcement['uid']); if($mybb->settings['allowthreadratings'] != 0 && $foruminfo['allowtratings'] != 0 && $fpermissions['canviewthreads'] != 0)@@ -1027,11 +1030,11 @@ $thread['author'] = $thread['uid']; if(!$thread['username']) {- $thread['username'] = $thread['threadusername'];- $thread['profilelink'] = $thread['threadusername'];+ $thread['username'] = $thread['profilelink'] = htmlspecialchars_uni($thread['threadusername']); } else {+ $thread['username'] = htmlspecialchars_uni($thread['username']); $thread['profilelink'] = build_profile_link($thread['username'], $thread['uid']); } @@ -1256,7 +1259,7 @@ $inline_edit_class = "subject_editable"; } - $lastposter = $thread['lastposter'];+ $lastposter = htmlspecialchars_uni($thread['lastposter']); $lastposteruid = $thread['lastposteruid']; $lastpostdate = my_date('relative', $thread['lastpost']);
AI Analysis
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - forumdisplay.php Lines 317, 801, 1033, 1037, 1259 Old Code: ```php $user['username'] = format_name($user['username'], $user['usergroup'], $user['displaygroup']); $announcement['username'] = $announcement['username']; // (implicit, no escaping) $thread['username'] = $thread['threadusername']; $thread['username'] = $thread['username']; // (no escaping before use) $lastposter = $thread['lastposter']; ``` Fixed Code: ```php $user['username'] = format_name(htmlspecialchars_uni($user['username']), $user['usergroup'], $user['displaygroup']); $announcement['username'] = htmlspecialchars_uni($announcement['username']); $thread['username'] = $thread['profilelink'] = htmlspecialchars_uni($thread['threadusername']); $thread['username'] = htmlspecialchars_uni($thread['username']); $lastposter = htmlspecialchars_uni($thread['lastposter']); ``` Explanation: This diff addresses multiple Stored XSS vulnerabilities in MyBB's forumdisplay.php template. User-controlled data fields (`username`, `lastposter`, `threadusername`) are output directly into HTML templates via eval() and template rendering without proper HTML entity encoding. The fix applies `htmlspecialchars_uni()` to escape these values before output, preventing attackers from injecting malicious JavaScript through usernames or poster names. This is a classic output encoding vulnerability where user input stored in the database was rendered in HTML context without escaping. The vulnerability would allow authenticated or unauthenticated attackers to inject XSS payloads through user profiles or thread creation, which would execute in the browsers of other users viewing the forum.
Showing 21 to 40 of 132 results