Shared security patch analysis results
AI Used: deepseek deepseek-chat--- /root/PatchLeaks-main/products/1838/Upload/admin/inc/class_page.php+++ /root/PatchLeaks-main/products/1839/Upload/admin/inc/class_page.php@@ -422,7 +422,7 @@ } // Make query string nice and pretty so that user can go to his/her preferred destination $query_string = '';- if($_SERVER['QUERY_STRING'])+ if(isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'] != '') { $query_string = '?'.preg_replace('#adminsid=(.{32})#i', '', $_SERVER['QUERY_STRING']); $query_string = preg_replace('#my_post_key=(.{32})#i', '', $query_string);
Vulnerability Existed: yes Undefined Index / Potential Information Disclosure [Upload/admin/inc/class_page.php] [Lines 422-425] [Old Code] ```php if($_SERVER['QUERY_STRING']) ``` [Fixed Code] ```php if(isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'] != '') ```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/admin/inc/functions.php+++ /root/PatchLeaks-main/products/1839/Upload/admin/inc/functions.php@@ -528,6 +528,7 @@ switch($mysql_encoding[0]) { case "utf8":+ case "utf8mb3": return "utf-8"; break; case "latin1":@@ -881,4 +882,4 @@ </p> </div> HTML;-}+}
Based on the provided code diff, here is my analysis:
**Vulnerability 1:**
```
Vulnerability Existed: not sure
Character Encoding Handling [Upload/admin/inc/functions.php] [528-532]
[Old Code]
case "utf8":
return "utf-8";
break;
[Fixed Code]
case "utf8":
case "utf8mb3":
return "utf-8";
break;
```
**Explanation:**
The diff shows an addition of a new case "utf8mb3" to the character encoding switch statement. While this appears to be a code improvement for better encoding support, I cannot definitively identify a specific security vulnerability that this fixes. The change improves compatibility with MySQL's utf8mb3 character set, but without more context about how this function is used, I cannot determine if this was addressing a security issue like potential encoding-based attacks or if it's simply a functional improvement.
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/admin/modules/config/calendars.php+++ /root/PatchLeaks-main/products/1839/Upload/admin/modules/config/calendars.php@@ -426,10 +426,13 @@ foreach($mybb->input['disporder'] as $cid => $order) {- $update_query = array(- "disporder" => (int)$order- );- $db->update_query("calendars", $update_query, "cid='".(int)$cid."'");+ if(is_numeric($order) && (int)$order >= 0)+ {+ $update_query = array(+ "disporder" => (int)$order+ );+ $db->update_query("calendars", $update_query, "cid='".(int)$cid."'");+ } } $plugins->run_hooks("admin_config_calendars_update_order_commit");
Vulnerability Existed: yes
Input Validation Bypass Leading to Potential SQL Injection or Data Corruption [Upload/admin/modules/config/calendars.php] [Lines 426-432]
Old Code:
```php
foreach($mybb->input['disporder'] as $cid => $order)
{
$update_query = array(
"disporder" => (int)$order
);
$db->update_query("calendars", $update_query, "cid='".(int)$cid."'");
}
```
Fixed Code:
```php
foreach($mybb->input['disporder'] as $cid => $order)
{
if(is_numeric($order) && (int)$order >= 0)
{
$update_query = array(
"disporder" => (int)$order
);
$db->update_query("calendars", $update_query, "cid='".(int)$cid."'");
}
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/admin/modules/config/plugins.php+++ /root/PatchLeaks-main/products/1839/Upload/admin/modules/config/plugins.php@@ -603,6 +603,8 @@ */ function get_plugins_list() {+ $plugins_list = array();+ // Get a list of the plugin files which exist in the plugins directory $dir = @opendir(MYBB_ROOT."inc/plugins/"); if($dir)
Vulnerability Existed: not sure
Potential Directory Traversal / Information Disclosure [Upload/admin/modules/config/plugins.php] [Lines 603-610]
[Old Code]
```php
function get_plugins_list()
{
// Get a list of the plugin files which exist in the plugins directory
$dir = @opendir(MYBB_ROOT."inc/plugins/");
if($dir)
```
[Fixed Code]
```php
function get_plugins_list()
{
$plugins_list = array();
// Get a list of the plugin files which exist in the plugins directory
$dir = @opendir(MYBB_ROOT."inc/plugins/");
if($dir)
```
Note: The fix initializes the `$plugins_list` array before use. While this primarily addresses a potential undefined variable issue, it could prevent information disclosure if the variable was used uninitialized in error messages or output. However, this appears to be more of a bug fix than a direct security vulnerability.
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/admin/modules/config/report_reasons.php+++ /root/PatchLeaks-main/products/1839/Upload/admin/modules/config/report_reasons.php@@ -294,7 +294,10 @@ { foreach($mybb->input['disporder'] as $rid => $order) {- $db->update_query("reportreasons", array('disporder' => (int)$order), "rid='".(int)$rid."'");+ if(is_numeric($order) && (int)$order >= 0)+ {+ $db->update_query("reportreasons", array('disporder' => (int)$order), "rid='".(int)$rid."'");+ } } $plugins->run_hooks("admin_config_report_reasons_start_commit");@@ -356,7 +359,7 @@ $form_container->output_cell(htmlspecialchars_uni($reasons['title'])); $form_container->output_cell(htmlspecialchars_uni($reasons['appliesto'])); $form_container->output_cell("<div>{$icon}</div>", array("class" => "align_center"));- $form_container->output_cell("<input type=\"text\" name=\"disporder[{$reasons['rid']}]\" value=\"{$reasons['disporder']}\" class=\"text_input align_center\" style=\"width: 80%;\" />", array("class" => "align_center"));+ $form_container->output_cell("<input type=\"number\" name=\"disporder[{$reasons['rid']}]\" value=\"{$reasons['disporder']}\" min=\"0\" class=\"text_input align_center\" style=\"width: 80%;\" />", array("class" => "align_center")); $popup = new PopupMenu("reasons_{$reasons['rid']}", $lang->options); $popup->add_item($lang->edit_reason, "index.php?module=config-report_reasons&action=edit&rid={$reasons['rid']}"); $popup->add_item($lang->delete_reason, "index.php?module=config-report_reasons&action=delete&rid={$reasons['rid']}&my_post_key={$mybb->post_code}", "return AdminCP.deleteConfirmation(this, '{$lang->confirm_reason_deletion}')");
Vulnerability Existed: yes
SQL Injection via Input Validation Bypass [Upload/admin/modules/config/report_reasons.php] [Lines 294-298]
Old Code:
```php
$db->update_query("reportreasons", array('disporder' => (int)$order), "rid='".(int)$rid."'");
```
Fixed Code:
```php
if(is_numeric($order) && (int)$order >= 0)
{
$db->update_query("reportreasons", array('disporder' => (int)$order), "rid='".(int)$rid."'");
}
```
Vulnerability Existed: yes
Client-Side Input Validation Bypass [Upload/admin/modules/config/report_reasons.php] [Line 356]
Old Code:
```php
$form_container->output_cell("<input type=\"text\" name=\"disporder[{$reasons['rid']}]\" value=\"{$reasons['disporder']}\" class=\"text_input align_center\" style=\"width: 80%;\" />", array("class" => "align_center"));
```
Fixed Code:
```php
$form_container->output_cell("<input type=\"number\" name=\"disporder[{$reasons['rid']}]\" value=\"{$reasons['disporder']}\" min=\"0\" class=\"text_input align_center\" style=\"width: 80%;\" />", array("class" => "align_center"));
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/admin/modules/forum/management.php+++ /root/PatchLeaks-main/products/1839/Upload/admin/modules/forum/management.php@@ -1199,23 +1199,21 @@ foreach($usergroups as $usergroup) { $perms = array();- if(!empty($mybb->input['default_permissions'][$usergroup['gid']]))- {- if(isset($existing_permissions) && is_array($existing_permissions) && $existing_permissions[$usergroup['gid']])- {- $perms = $existing_permissions[$usergroup['gid']];- $default_checked = false;- }- elseif(is_array($cached_forum_perms) && isset($forum_data['fid']) && !empty($cached_forum_perms[$forum_data['fid']][$usergroup['gid']]))- {- $perms = $cached_forum_perms[$forum_data['fid']][$usergroup['gid']];- $default_checked = true;- }- else if(is_array($cached_forum_perms) && isset($forum_data['fid']) && !empty($cached_forum_perms[$forum_data['pid']][$usergroup['gid']]))- {- $perms = $cached_forum_perms[$forum_data['pid']][$usergroup['gid']];- $default_checked = true;- }++ if(isset($existing_permissions) && is_array($existing_permissions) && $existing_permissions[$usergroup['gid']])+ {+ $perms = $existing_permissions[$usergroup['gid']];+ $default_checked = false;+ }+ elseif(is_array($cached_forum_perms) && isset($forum_data['fid']) && !empty($cached_forum_perms[$forum_data['fid']][$usergroup['gid']]))+ {+ $perms = $cached_forum_perms[$forum_data['fid']][$usergroup['gid']];+ $default_checked = true;+ }+ else if(is_array($cached_forum_perms) && isset($forum_data['pid']) && !empty($cached_forum_perms[$forum_data['pid']][$usergroup['gid']]))+ {+ $perms = $cached_forum_perms[$forum_data['pid']][$usergroup['gid']];+ $default_checked = true; } if(!$perms)@@ -2322,7 +2320,10 @@ { foreach($mybb->input['disporder'] as $update_fid => $order) {- $db->update_query("forums", array('disporder' => (int)$order), "fid='".(int)$update_fid."'");+ if(is_numeric($order) && (int)$order >= 0)+ {+ $db->update_query("forums", array('disporder' => (int)$order), "fid='".(int)$update_fid."'");+ } } $plugins->run_hooks("admin_forum_management_start_disporder_commit");@@ -3032,4 +3033,3 @@ $form_container->construct_row(); return $form_container->output_row_cells(0, true); }-
Vulnerability Existed: yes
Insecure Direct Object Reference / Access Control Bypass Upload/admin/modules/forum/management.php 1200-1222
```php
foreach($usergroups as $usergroup)
{
$perms = array();
if(!empty($mybb->input['default_permissions'][$usergroup['gid']]))
{
if(isset($existing_permissions) && is_array($existing_permissions) && $existing_permissions[$usergroup['gid']])
{
$perms = $existing_permissions[$usergroup['gid']];
$default_checked = false;
}
elseif(is_array($cached_forum_perms) && isset($forum_data['fid']) && !empty($cached_forum_perms[$forum_data['fid']][$usergroup['gid']]))
{
$perms = $cached_forum_perms[$forum_data['fid']][$usergroup['gid']];
$default_checked = true;
}
else if(is_array($cached_forum_perms) && isset($forum_data['fid']) && !empty($cached_forum_perms[$forum_data['pid']][$usergroup['gid']]))
{
$perms = $cached_forum_perms[$forum_data['pid']][$usergroup['gid']];
$default_checked = true;
}
}
```
```php
foreach($usergroups as $usergroup)
{
$perms = array();
if(isset($existing_permissions) && is_array($existing_permissions) && $existing_permissions[$usergroup['gid']])
{
$perms = $existing_permissions[$usergroup['gid']];
$default_checked = false;
}
elseif(is_array($cached_forum_perms) && isset($forum_data['fid']) && !empty($cached_forum_perms[$forum_data['fid']][$usergroup['gid']]))
{
$perms = $cached_forum_perms[$forum_data['fid']][$usergroup['gid']];
$default_checked = true;
}
else if(is_array($cached_forum_perms) && isset($forum_data['pid']) && !empty($cached_forum_perms[$forum_data['pid']][$usergroup['gid']]))
{
$perms = $cached_forum_perms[$forum_data['pid']][$usergroup['gid']];
$default_checked = true;
}
```
Vulnerability Existed: yes
Input Validation Bypass Upload/admin/modules/forum/management.php 2322
```php
foreach($mybb->input['disporder'] as $update_fid => $order)
{
$db->update_query("forums", array('disporder' => (int)$order), "fid='".(int)$update_fid."'");
}
```
```php
foreach($mybb->input['disporder'] as $update_fid => $order)
{
if(is_numeric($order) && (int)$order >= 0)
{
$db->update_query("forums", array('disporder' => (int)$order), "fid='".(int)$update_fid."'");
}
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/admin/modules/user/groups.php+++ /root/PatchLeaks-main/products/1839/Upload/admin/modules/user/groups.php@@ -99,6 +99,8 @@ die("Direct initialization of this file is not allowed.<br /><br />Please make sure IN_MYBB is defined."); }+$errors = array();+ $page->add_breadcrumb_item($lang->user_groups, "index.php?module=user-groups"); if($mybb->input['action'] == "add" || !$mybb->input['action'])@@ -341,7 +343,7 @@ } // No errors, insert- if(!$errors)+ if(empty($errors)) { $new_leader = array( "gid" => $group['gid'],@@ -466,7 +468,7 @@ $form = new Form("index.php?module=user-groups&action=add_leader&gid={$group['gid']}", "post");- if($errors)+ if(!empty($errors)) { $page->output_inline_error($errors); }@@ -483,9 +485,9 @@ $form_container = new FormContainer($lang->add_group_leader.' '.htmlspecialchars_uni($group['title'])); $form_container->output_row($lang->username." <em>*</em>", "", $form->generate_text_box('username', htmlspecialchars_uni($mybb->get_input('username')), array('id' => 'username')), 'username');- $form_container->output_row($lang->can_manage_group_members, $lang->can_manage_group_members_desc, $form->generate_yes_no_radio('canmanagemembers', $mybb->input['canmanagemembers']));- $form_container->output_row($lang->can_manage_group_join_requests, $lang->can_manage_group_join_requests_desc, $form->generate_yes_no_radio('canmanagerequests', $mybb->input['canmanagerequests']));- $form_container->output_row($lang->can_invite_group_members, $lang->can_invite_group_members_desc, $form->generate_yes_no_radio('caninvitemembers', $mybb->input['caninvitemembers']));+ $form_container->output_row($lang->can_manage_group_members, $lang->can_manage_group_members_desc, $form->generate_yes_no_radio('canmanagemembers', $mybb->get_input('canmanagemembers', MyBB::INPUT_INT)));+ $form_container->output_row($lang->can_manage_group_join_requests, $lang->can_manage_group_join_requests_desc, $form->generate_yes_no_radio('canmanagerequests', $mybb->get_input('canmanagerequests', MyBB::INPUT_INT)));+ $form_container->output_row($lang->can_invite_group_members, $lang->can_invite_group_members_desc, $form->generate_yes_no_radio('caninvitemembers', $mybb->get_input('caninvitemembers', MyBB::INPUT_INT))); $form_container->output_row($lang->make_user_member, $lang->make_user_member_desc, $form->generate_yes_no_radio('makeleadermember', $mybb->input['makeleadermember'])); $form_container->end();@@ -625,7 +627,7 @@ admin_redirect("index.php?module=user-groups&action=leaders&gid={$group['gid']}"); }- if(!$errors)+ if(empty($errors)) { $mybb->input = array_merge($mybb->input, $leader); }@@ -650,9 +652,9 @@ $form_container = new FormContainer($lang->edit_group_leader); $form_container->output_row($lang->username." <em>*</em>", "", $leader['username']);- $form_container->output_row($lang->can_manage_group_members, $lang->can_manage_group_members_desc, $form->generate_yes_no_radio('canmanagemembers', $mybb->input['canmanagemembers']));- $form_container->output_row($lang->can_manage_group_join_requests, $lang->can_manage_group_join_requests_desc, $form->generate_yes_no_radio('canmanagerequests', $mybb->input['canmanagerequests']));- $form_container->output_row($lang->can_invite_group_members, $lang->can_invite_group_members_desc, $form->generate_yes_no_radio('caninvitemembers', $mybb->input['caninvitemembers']));+ $form_container->output_row($lang->can_manage_group_members, $lang->can_manage_group_members_desc, $form->generate_yes_no_radio('canmanagemembers', $mybb->get_input('canmanagemembers', MyBB::INPUT_INT)));+ $form_container->output_row($lang->can_manage_group_join_requests, $lang->can_manage_group_join_requests_desc, $form->generate_yes_no_radio('canmanagerequests', $mybb->get_input('canmanagerequests', MyBB::INPUT_INT)));+ $form_container->output_row($lang->can_invite_group_members, $lang->can_invite_group_members_desc, $form->generate_yes_no_radio('caninvitemembers', $mybb->get_input('caninvitemembers', MyBB::INPUT_INT))); $buttons[] = $form->generate_submit_button($lang->save_group_leader); $form_container->end();@@ -678,7 +680,7 @@ $errors[] = $lang->error_missing_namestyle_username; }- if(!$errors)+ if(empty($errors)) { if($mybb->get_input('stars') < 1) {@@ -762,7 +764,7 @@ $page->output_nav_tabs($sub_tabs, 'add_group'); $form = new Form("index.php?module=user-groups&action=add", "post");- if($errors)+ if(!empty($errors)) { $page->output_inline_error($errors); }@@ -834,7 +836,7 @@ $errors[] = $lang->error_cannot_have_both_types; }- if(!$errors)+ if(empty($errors)) { if($mybb->get_input('joinable') == 1) {@@ -1001,7 +1003,7 @@ $page->output_nav_tabs($sub_tabs, 'edit_group'); // If we have any error messages, show them- if($errors)+ if(!empty($errors)) { $page->output_inline_error($errors); }@@ -1069,12 +1071,12 @@ $form_container->output_row($lang->group_image, $lang->group_image_desc, $form->generate_text_box('image', $mybb->input['image'], array('id' => 'image')), 'image'); $general_options = array();- $general_options[] = $form->generate_check_box("showmemberlist", 1, $lang->member_list, array("checked" => $mybb->input['showmemberlist']));+ $general_options[] = $form->generate_check_box("showmemberlist", 1, $lang->member_list, array("checked" => $mybb->get_input('showmemberlist', MyBB::INPUT_INT))); if($usergroup['gid'] != "1" && $usergroup['gid'] != "5") {- $general_options[] = $form->generate_check_box("showforumteam", 1, $lang->forum_team, array("checked" => $mybb->input['showforumteam']));- }- $general_options[] = $form->generate_check_box("isbannedgroup", 1, $lang->is_banned_group, array("checked" => $mybb->input['isbannedgroup']));+ $general_options[] = $form->generate_check_box("showforumteam", 1, $lang->forum_team, array("checked" => $mybb->get_input('showforumteam', MyBB::INPUT_INT)));+ }+ $general_options[] = $form->generate_check_box("isbannedgroup", 1, $lang->is_banned_group, array("checked" => $mybb->get_input('isbannedgroup', MyBB::INPUT_INT))); $form_container->output_row($lang->general_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $general_options)."</div>");@@ -1082,17 +1084,17 @@ { $public_options = array( $form->generate_check_box("joinable", 1, $lang->user_joinable, array("checked" => $mybb->input['joinable'])),- $form->generate_check_box("moderate", 1, $lang->moderate_join_requests, array("checked" => $mybb->input['moderate'])),+ $form->generate_check_box("moderate", 1, $lang->moderate_join_requests, array("checked" => $mybb->get_input('moderate', MyBB::INPUT_INT))), $form->generate_check_box("invite", 1, $lang->invite_only, array("checked" => $mybb->input['invite'])),- $form->generate_check_box("candisplaygroup", 1, $lang->can_set_as_display_group, array("checked" => $mybb->input['candisplaygroup'])),+ $form->generate_check_box("candisplaygroup", 1, $lang->can_set_as_display_group, array("checked" => $mybb->get_input('candisplaygroup', MyBB::INPUT_INT))), ); $form_container->output_row($lang->publicly_joinable_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $public_options)."</div>"); } $admin_options = array(- $form->generate_check_box("issupermod", 1, $lang->is_super_mod, array("checked" => $mybb->input['issupermod'])),- $form->generate_check_box("canmodcp", 1, $lang->can_access_mod_cp, array("checked" => $mybb->input['canmodcp'])),- $form->generate_check_box("cancp", 1, $lang->can_access_admin_cp, array("checked" => $mybb->input['cancp']))+ $form->generate_check_box("issupermod", 1, $lang->is_super_mod, array("checked" => $mybb->get_input('issupermod', MyBB::INPUT_INT))),+ $form->generate_check_box("canmodcp", 1, $lang->can_access_mod_cp, array("checked" => $mybb->get_input('canmodcp', MyBB::INPUT_INT))),+ $form->generate_check_box("cancp", 1, $lang->can_access_admin_cp, array("checked" => $mybb->get_input('cancp', MyBB::INPUT_INT))) ); $form_container->output_row($lang->moderation_administration_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $admin_options)."</div>");@@ -1106,40 +1108,40 @@ $form_container = new FormContainer($lang->forums_posts); $viewing_options = array(- $form->generate_check_box("canview", 1, $lang->can_view_board, array("checked" => $mybb->input['canview'])),- $form->generate_check_box("canviewthreads", 1, $lang->can_view_threads, array("checked" => $mybb->input['canviewthreads'])),- $form->generate_check_box("cansearch", 1, $lang->can_search_forums, array("checked" => $mybb->input['cansearch'])),- $form->generate_check_box("canviewprofiles", 1, $lang->can_view_profiles, array("checked" => $mybb->input['canviewprofiles'])),- $form->generate_check_box("candlattachments", 1, $lang->can_download_attachments, array("checked" => $mybb->input['candlattachments'])),- $form->generate_check_box("canviewboardclosed", 1, $lang->can_view_board_closed, array("checked" => $mybb->input['canviewboardclosed']))+ $form->generate_check_box("canview", 1, $lang->can_view_board, array("checked" => $mybb->get_input('canview', MyBB::INPUT_INT))),+ $form->generate_check_box("canviewthreads", 1, $lang->can_view_threads, array("checked" => $mybb->get_input('canviewthreads', MyBB::INPUT_INT))),+ $form->generate_check_box("cansearch", 1, $lang->can_search_forums, array("checked" => $mybb->get_input('cansearch', MyBB::INPUT_INT))),+ $form->generate_check_box("canviewprofiles", 1, $lang->can_view_profiles, array("checked" => $mybb->get_input('canviewprofiles', MyBB::INPUT_INT))),+ $form->generate_check_box("candlattachments", 1, $lang->can_download_attachments, array("checked" => $mybb->get_input('candlattachments', MyBB::INPUT_INT))),+ $form->generate_check_box("canviewboardclosed", 1, $lang->can_view_board_closed, array("checked" => $mybb->get_input('canviewboardclosed', MyBB::INPUT_INT))) ); $form_container->output_row($lang->viewing_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $viewing_options)."</div>"); $posting_options = array(- $form->generate_check_box("canpostthreads", 1, $lang->can_post_threads, array("checked" => $mybb->input['canpostthreads'])),- $form->generate_check_box("canpostreplys", 1, $lang->can_post_replies, array("checked" => $mybb->input['canpostreplys'])),- $form->generate_check_box("canratethreads", 1, $lang->can_rate_threads, array("checked" => $mybb->input['canratethreads'])),+ $form->generate_check_box("canpostthreads", 1, $lang->can_post_threads, array("checked" => $mybb->get_input('canpostthreads', MyBB::INPUT_INT))),+ $form->generate_check_box("canpostreplys", 1, $lang->can_post_replies, array("checked" => $mybb->get_input('canpostreplys', MyBB::INPUT_INT))),+ $form->generate_check_box("canratethreads", 1, $lang->can_rate_threads, array("checked" => $mybb->get_input('canratethreads', MyBB::INPUT_INT))), "{$lang->max_posts_per_day}<br /><small class=\"input\">{$lang->max_posts_per_day_desc}</small><br />".$form->generate_numeric_field('maxposts', $mybb->input['maxposts'], array('id' => 'maxposts', 'class' => 'field50', 'min' => 0)) ); $form_container->output_row($lang->posting_rating_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $posting_options)."</div>"); $moderator_options = array(- $form->generate_check_box("modposts", 1, $lang->mod_new_posts, array("checked" => $mybb->input['modposts'])),- $form->generate_check_box("modthreads", 1, $lang->mod_new_threads, array("checked" => $mybb->input['modthreads'])),- $form->generate_check_box("modattachments", 1, $lang->mod_new_attachments, array("checked" => $mybb->input['modattachments'])),- $form->generate_check_box("mod_edit_posts", 1, $lang->mod_after_edit, array("checked" => $mybb->input['mod_edit_posts']))+ $form->generate_check_box("modposts", 1, $lang->mod_new_posts, array("checked" => $mybb->get_input('modposts', MyBB::INPUT_INT))),+ $form->generate_check_box("modthreads", 1, $lang->mod_new_threads, array("checked" => $mybb->get_input('modthreads', MyBB::INPUT_INT))),+ $form->generate_check_box("modattachments", 1, $lang->mod_new_attachments, array("checked" => $mybb->get_input('modattachments', MyBB::INPUT_INT))),+ $form->generate_check_box("mod_edit_posts", 1, $lang->mod_after_edit, array("checked" => $mybb->get_input('mod_edit_posts', MyBB::INPUT_INT))) ); $form_container->output_row($lang->moderation_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $moderator_options)."</div>"); $poll_options = array(- $form->generate_check_box("canpostpolls", 1, $lang->can_post_polls, array("checked" => $mybb->input['canpostpolls'])),- $form->generate_check_box("canvotepolls", 1, $lang->can_vote_polls, array("checked" => $mybb->input['canvotepolls'])),- $form->generate_check_box("canundovotes", 1, $lang->can_undo_votes, array("checked" => $mybb->input['canundovotes']))+ $form->generate_check_box("canpostpolls", 1, $lang->can_post_polls, array("checked" => $mybb->get_input('canpostpolls', MyBB::INPUT_INT))),+ $form->generate_check_box("canvotepolls", 1, $lang->can_vote_polls, array("checked" => $mybb->get_input('canvotepolls', MyBB::INPUT_INT))),+ $form->generate_check_box("canundovotes", 1, $lang->can_undo_votes, array("checked" => $mybb->get_input('canundovotes', MyBB::INPUT_INT))) ); $form_container->output_row($lang->poll_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $poll_options)."</div>"); $attachment_options = array(- $form->generate_check_box("canpostattachments", 1, $lang->can_post_attachments, array("checked" => $mybb->input['canpostattachments'])),+ $form->generate_check_box("canpostattachments", 1, $lang->can_post_attachments, array("checked" => $mybb->get_input('canpostattachments', MyBB::INPUT_INT))), "{$lang->attach_quota}<br /><small class=\"input\">{$lang->attach_quota_desc}</small><br />".$form->generate_numeric_field('attachquota', $mybb->input['attachquota'], array('id' => 'attachquota', 'class' => 'field50', 'min' => 0)). "KB" ); $form_container->output_row($lang->attachment_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $attachment_options)."</div>");@@ -1148,11 +1150,11 @@ if($usergroup['gid'] != 1) { $editing_options = array(- $form->generate_check_box("caneditposts", 1, $lang->can_edit_posts, array("checked" => $mybb->input['caneditposts'])),- $form->generate_check_box("candeleteposts", 1, $lang->can_delete_posts, array("checked" => $mybb->input['candeleteposts'])),- $form->generate_check_box("candeletethreads", 1, $lang->can_delete_threads, array("checked" => $mybb->input['candeletethreads'])),- $form->generate_check_box("caneditattachments", 1, $lang->can_edit_attachments, array("checked" => $mybb->input['caneditattachments'])),- $form->generate_check_box("canviewdeletionnotice", 1, $lang->can_view_deletion_notices, array("checked" => $mybb->input['canviewdeletionnotice'])),+ $form->generate_check_box("caneditposts", 1, $lang->can_edit_posts, array("checked" => $mybb->get_input('caneditposts', MyBB::INPUT_INT))),+ $form->generate_check_box("candeleteposts", 1, $lang->can_delete_posts, array("checked" => $mybb->get_input('candeleteposts', MyBB::INPUT_INT))),+ $form->generate_check_box("candeletethreads", 1, $lang->can_delete_threads, array("checked" => $mybb->get_input('candeletethreads', MyBB::INPUT_INT))),+ $form->generate_check_box("caneditattachments", 1, $lang->can_edit_attachments, array("checked" => $mybb->get_input('caneditattachments', MyBB::INPUT_INT))),+ $form->generate_check_box("canviewdeletionnotice", 1, $lang->can_view_deletion_notices, array("checked" => $mybb->get_input('canviewdeletionnotice', MyBB::INPUT_INT))), "{$lang->edit_time_limit}<br /><small class=\"input\">{$lang->edit_time_limit_desc}</small><br />".$form->generate_numeric_field('edittimelimit', $mybb->input['edittimelimit'], array('id' => 'edittimelimit', 'class' => 'field50', 'min' => 0)) ); $form_container->output_row($lang->editing_deleting_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $editing_options)."</div>");@@ -1168,23 +1170,23 @@ $form_container = new FormContainer($lang->users_permissions); $account_options = array(- $form->generate_check_box("canbereported", 1, $lang->can_be_reported, array("checked" => $mybb->input['canbereported'])),- $form->generate_check_box("canbeinvisible", 1, $lang->can_be_invisible, array("checked" => $mybb->input['canbeinvisible'])),- $form->generate_check_box("canusercp", 1, $lang->can_access_usercp, array("checked" => $mybb->input['canusercp'])),- $form->generate_check_box("canchangename", 1, $lang->can_change_username, array("checked" => $mybb->input['canchangename'])),- $form->generate_check_box("cancustomtitle", 1, $lang->can_use_usertitles, array("checked" => $mybb->input['cancustomtitle'])),- $form->generate_check_box("canuploadavatars", 1, $lang->can_upload_avatars, array("checked" => $mybb->input['canuploadavatars'])),- $form->generate_check_box("canusesig", 1, $lang->can_use_signature, array("checked" => $mybb->input['canusesig'])),- $form->generate_check_box("signofollow", 1, $lang->uses_no_follow, array("checked" => $mybb->input['signofollow'])),- $form->generate_check_box("canchangewebsite", 1, $lang->can_change_website, array("checked" => $mybb->input['canchangewebsite'])),- "{$lang->required_posts}<br /><small class=\"input\">{$lang->required_posts_desc}</small><br />".$form->generate_numeric_field('canusesigxposts', $mybb->input['canusesigxposts'], array('id' => 'canusesigxposts', 'class' => 'field50', 'min' => 0))+ $form->generate_check_box("canbereported", 1, $lang->can_be_reported, array("checked" => $mybb->get_input('canbereported', MyBB::INPUT_INT))),+ $form->generate_check_box("canbeinvisible", 1, $lang->can_be_invisible, array("checked" => $mybb->get_input('canbeinvisible', MyBB::INPUT_INT))),+ $form->generate_check_box("canusercp", 1, $lang->can_access_usercp, array("checked" => $mybb->get_input('canusercp', MyBB::INPUT_INT))),+ $form->generate_check_box("canchangename", 1, $lang->can_change_username, array("checked" => $mybb->get_input('canchangename', MyBB::INPUT_INT))),+ $form->generate_check_box("cancustomtitle", 1, $lang->can_use_usertitles, array("checked" => $mybb->get_input('cancustomtitle', MyBB::INPUT_INT))),+ $form->generate_check_box("canuploadavatars", 1, $lang->can_upload_avatars, array("checked" => $mybb->get_input('canuploadavatars', MyBB::INPUT_INT))),+ $form->generate_check_box("canusesig", 1, $lang->can_use_signature, array("checked" => $mybb->get_input('canusesig', MyBB::INPUT_INT))),+ $form->generate_check_box("signofollow", 1, $lang->uses_no_follow, array("checked" => $mybb->get_input('signofollow', MyBB::INPUT_INT))),+ $form->generate_check_box("canchangewebsite", 1, $lang->can_change_website, array("checked" => $mybb->get_input('canchangewebsite', MyBB::INPUT_INT))),+ "{$lang->required_posts}<br /><small class=\"input\">{$lang->required_posts_desc}</small><br />".$form->generate_numeric_field('canusesigxposts', $mybb->get_input('canusesigxposts', MyBB::INPUT_INT), array('id' => 'canusesigxposts', 'class' => 'field50', 'min' => 0)) ); $form_container->output_row($lang->account_management, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $account_options)."</div>"); $reputation_options = array(- $form->generate_check_box("usereputationsystem", 1, $lang->show_reputations, array("checked" => $mybb->input['usereputationsystem'])),- $form->generate_check_box("cangivereputations", 1, $lang->can_give_reputation, array("checked" => $mybb->input['cangivereputations'])),- $form->generate_check_box("candeletereputations", 1, $lang->can_delete_own_reputation, array("checked" => $mybb->input['candeletereputations'])),+ $form->generate_check_box("usereputationsystem", 1, $lang->show_reputations, array("checked" => $mybb->get_input('usereputationsystem', MyBB::INPUT_INT))),+ $form->generate_check_box("cangivereputations", 1, $lang->can_give_reputation, array("checked" => $mybb->get_input('cangivereputations', MyBB::INPUT_INT))),+ $form->generate_check_box("candeletereputations", 1, $lang->can_delete_own_reputation, array("checked" => $mybb->get_input('candeletereputations', MyBB::INPUT_INT))), "{$lang->points_to_award_take}<br /><small class=\"input\">{$lang->points_to_award_take_desc}</small><br />".$form->generate_numeric_field('reputationpower', $mybb->input['reputationpower'], array('id' => 'reputationpower', 'class' => 'field50', 'min' => 0)), "{$lang->max_reputations_perthread}<br /><small class=\"input\">{$lang->max_reputations_perthread_desc}</small><br />".$form->generate_numeric_field('maxreputationsperthread', $mybb->input['maxreputationsperthread'], array('id' => 'maxreputationsperthread', 'class' => 'field50', 'min' => 0)), "{$lang->max_reputations_peruser}<br /><small class=\"input\">{$lang->max_reputations_peruser_desc}</small><br />".$form->generate_numeric_field('maxreputationsperuser', $mybb->input['maxreputationsperuser'], array('id' => 'maxreputationsperuser', 'class' => 'field50', 'min' => 0)),@@ -1193,18 +1195,18 @@ $form_container->output_row($lang->reputation_system, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $reputation_options)."</div>"); $warning_options = array(- $form->generate_check_box("canwarnusers", 1, $lang->can_send_warnings, array("checked" => $mybb->input['canwarnusers'])),- $form->generate_check_box("canreceivewarnings", 1, $lang->can_receive_warnings, array("checked" => $mybb->input['canreceivewarnings'])),+ $form->generate_check_box("canwarnusers", 1, $lang->can_send_warnings, array("checked" => $mybb->get_input('canwarnusers', MyBB::INPUT_INT))),+ $form->generate_check_box("canreceivewarnings", 1, $lang->can_receive_warnings, array("checked" => $mybb->get_input('canreceivewarnings', MyBB::INPUT_INT))), "{$lang->warnings_per_day}<br />".$form->generate_numeric_field('maxwarningsday', $mybb->input['maxwarningsday'], array('id' => 'maxwarningsday', 'class' => 'field50')) ); $form_container->output_row($lang->warning_system, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $warning_options)."</div>"); $pm_options = array(- $form->generate_check_box("canusepms", 1, $lang->can_use_pms, array("checked" => $mybb->input['canusepms'])),- $form->generate_check_box("cansendpms", 1, $lang->can_send_pms, array("checked" => $mybb->input['cansendpms'])),- $form->generate_check_box("canoverridepm", 1, $lang->can_override_pms, array("checked" => $mybb->input['canoverridepm'])),- $form->generate_check_box("cantrackpms", 1, $lang->can_track_pms, array("checked" => $mybb->input['cantrackpms'])),- $form->generate_check_box("candenypmreceipts", 1, $lang->can_deny_reciept, array("checked" => $mybb->input['candenypmreceipts'])),+ $form->generate_check_box("canusepms", 1, $lang->can_use_pms, array("checked" => $mybb->get_input('canusepms', MyBB::INPUT_INT))),+ $form->generate_check_box("cansendpms", 1, $lang->can_send_pms, array("checked" => $mybb->get_input('cansendpms', MyBB::INPUT_INT))),+ $form->generate_check_box("canoverridepm", 1, $lang->can_override_pms, array("checked" => $mybb->get_input('canoverridepm', MyBB::INPUT_INT))),+ $form->generate_check_box("cantrackpms", 1, $lang->can_track_pms, array("checked" => $mybb->get_input('cantrackpms', MyBB::INPUT_INT))),+ $form->generate_check_box("candenypmreceipts", 1, $lang->can_deny_reciept, array("checked" => $mybb->get_input('candenypmreceipts', MyBB::INPUT_INT))), "{$lang->message_quota}<br /><small>{$lang->message_quota_desc}</small><br />".$form->generate_numeric_field('pmquota', $mybb->input['pmquota'], array('id' => 'pmquota', 'class' => 'field50', 'min' => 0)), "{$lang->max_recipients}<br /><small>{$lang->max_recipients_desc}</small><br />".$form->generate_numeric_field('maxpmrecipients', $mybb->input['maxpmrecipients'], array('id' => 'maxpmrecipients', 'class' => 'field50', 'min' => 0)) );@@ -1220,25 +1222,25 @@ $form_container = new FormContainer($lang->misc); $calendar_options = array(- $form->generate_check_box("canviewcalendar", 1, $lang->can_view_calendar, array("checked" => $mybb->input['canviewcalendar'])),- $form->generate_check_box("canaddevents", 1, $lang->can_post_events, array("checked" => $mybb->input['canaddevents'])),- $form->generate_check_box("canbypasseventmod", 1, $lang->can_bypass_event_moderation, array("checked" => $mybb->input['canbypasseventmod'])),- $form->generate_check_box("canmoderateevents", 1, $lang->can_moderate_events, array("checked" => $mybb->input['canmoderateevents']))+ $form->generate_check_box("canviewcalendar", 1, $lang->can_view_calendar, array("checked" => $mybb->get_input('canviewcalendar', MyBB::INPUT_INT))),+ $form->generate_check_box("canaddevents", 1, $lang->can_post_events, array("checked" => $mybb->get_input('canaddevents', MyBB::INPUT_INT))),+ $form->generate_check_box("canbypasseventmod", 1, $lang->can_bypass_event_moderation, array("checked" => $mybb->get_input('canbypasseventmod', MyBB::INPUT_INT))),+ $form->generate_check_box("canmoderateevents", 1, $lang->can_moderate_events, array("checked" => $mybb->get_input('canmoderateevents', MyBB::INPUT_INT))) ); $form_container->output_row($lang->calendar, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $calendar_options)."</div>"); $wol_options = array(- $form->generate_check_box("canviewonline", 1, $lang->can_view_whos_online, array("checked" => $mybb->input['canviewonline'])),- $form->generate_check_box("canviewwolinvis", 1, $lang->can_view_invisible, array("checked" => $mybb->input['canviewwolinvis'])),- $form->generate_check_box("canviewonlineips", 1, $lang->can_view_ips, array("checked" => $mybb->input['canviewonlineips']))+ $form->generate_check_box("canviewonline", 1, $lang->can_view_whos_online, array("checked" => $mybb->get_input('canviewonline', MyBB::INPUT_INT))),+ $form->generate_check_box("canviewwolinvis", 1, $lang->can_view_invisible, array("checked" => $mybb->get_input('canviewwolinvis', MyBB::INPUT_INT))),+ $form->generate_check_box("canviewonlineips", 1, $lang->can_view_ips, array("checked" => $mybb->get_input('canviewonlineips', MyBB::INPUT_INT))) ); $form_container->output_row($lang->whos_online, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $wol_options)."</div>"); $misc_options = array(- $form->generate_check_box("canviewmemberlist", 1, $lang->can_view_member_list, array("checked" => $mybb->input['canviewmemberlist'])),- $form->generate_check_box("showinbirthdaylist", 1, $lang->show_in_birthday_list, array("checked" => $mybb->input['showinbirthdaylist'])),- $form->generate_check_box("cansendemail", 1, $lang->can_email_users, array("checked" => $mybb->input['cansendemail'])),- $form->generate_check_box("cansendemailoverride", 1, $lang->can_email_users_override, array("checked" => $mybb->input['cansendemailoverride'])),+ $form->generate_check_box("canviewmemberlist", 1, $lang->can_view_member_list, array("checked" => $mybb->get_input('canviewmemberlist', MyBB::INPUT_INT))),+ $form->generate_check_box("showinbirthdaylist", 1, $lang->show_in_birthday_list, array("checked" => $mybb->get_input('showinbirthdaylist', MyBB::INPUT_INT))),+ $form->generate_check_box("cansendemail", 1, $lang->can_email_users, array("checked" => $mybb->get_input('cansendemail', MyBB::INPUT_INT))),+ $form->generate_check_box("cansendemailoverride", 1, $lang->can_email_users_override, array("checked" => $mybb->get_input('cansendemailoverride', MyBB::INPUT_INT))), "{$lang->max_emails_per_day}<br /><small class=\"input\">{$lang->max_emails_per_day_desc}</small><br />".$form->generate_numeric_field('maxemails', $mybb->input['maxemails'], array('id' => 'maxemails', 'class' => 'field50', 'min' => 0)), "{$lang->email_flood_time}<br /><small class=\"input\">{$lang->email_flood_time_desc}</small><br />".$form->generate_numeric_field('emailfloodtime', $mybb->input['emailfloodtime'], array('id' => 'emailfloodtime', 'class' => 'field50', 'min' => 0)) );@@ -1254,18 +1256,18 @@ $form_container = new FormContainer($lang->mod_cp); $forum_post_options = array(- $form->generate_check_box("canmanageannounce", 1, $lang->can_manage_announce, array("checked" => $mybb->input['canmanageannounce'])),- $form->generate_check_box("canmanagemodqueue", 1, $lang->can_manage_mod_queue, array("checked" => $mybb->input['canmanagemodqueue'])),- $form->generate_check_box("canmanagereportedcontent", 1, $lang->can_manage_reported_content, array("checked" => $mybb->input['canmanagereportedcontent'])),- $form->generate_check_box("canviewmodlogs", 1, $lang->can_view_mod_logs, array("checked" => $mybb->input['canviewmodlogs']))+ $form->generate_check_box("canmanageannounce", 1, $lang->can_manage_announce, array("checked" => $mybb->get_input('canmanageannounce', MyBB::INPUT_INT))),+ $form->generate_check_box("canmanagemodqueue", 1, $lang->can_manage_mod_queue, array("checked" => $mybb->get_input('canmanagemodqueue', MyBB::INPUT_INT))),+ $form->generate_check_box("canmanagereportedcontent", 1, $lang->can_manage_reported_content, array("checked" => $mybb->get_input('canmanagereportedcontent', MyBB::INPUT_INT))),+ $form->generate_check_box("canviewmodlogs", 1, $lang->can_view_mod_logs, array("checked" => $mybb->get_input('canviewmodlogs', MyBB::INPUT_INT))) ); $form_container->output_row($lang->forum_post_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $forum_post_options)."</div>"); $user_options = array(- $form->generate_check_box("caneditprofiles", 1, $lang->can_edit_profiles, array("checked" => $mybb->input['caneditprofiles'])),- $form->generate_check_box("canbanusers", 1, $lang->can_ban_users, array("checked" => $mybb->input['canbanusers'])),- $form->generate_check_box("canviewwarnlogs", 1, $lang->can_view_warnlogs, array("checked" => $mybb->input['canviewwarnlogs'])),- $form->generate_check_box("canuseipsearch", 1, $lang->can_use_ipsearch, array("checked" => $mybb->input['canuseipsearch']))+ $form->generate_check_box("caneditprofiles", 1, $lang->can_edit_profiles, array("checked" => $mybb->get_input('caneditprofiles', MyBB::INPUT_INT))),+ $form->generate_check_box("canbanusers", 1, $lang->can_ban_users, array("checked" => $mybb->get_input('canbanusers', MyBB::INPUT_INT))),+ $form->generate_check_box("canviewwarnlogs", 1, $lang->can_view_warnlogs, array("checked" => $mybb->get_input('canviewwarnlogs', MyBB::INPUT_INT))),+ $form->generate_check_box("canuseipsearch", 1, $lang->can_use_ipsearch, array("checked" => $mybb->get_input('canuseipsearch', MyBB::INPUT_INT))) ); $form_container->output_row($lang->user_options, "", "<div class=\"group_settings_bit\">".implode("</div><div class=\"group_settings_bit\">", $user_options)."</div>");@@ -1377,7 +1379,7 @@ { $gid = (int)$gid; $order = (int)$order;- if($gid != 0 && $order != 0)+ if($gid != 0 && $order > 0) { $sql_array = array( 'disporder' => $order,@@ -1405,7 +1407,10 @@ { foreach($mybb->input['disporder'] as $gid => $order) {- $db->update_query("usergroups", array('disporder' => (int)$order), "gid='".(int)$gid."'");+ if(is_numeric($order) && (int)$order >= 0)+ {+ $db->update_query("usergroups", array('disporder' => (int)$order), "gid='".(int)$gid."'");+ } } $plugins->run_hooks("admin_user_groups_start_commit");@@ -1536,7 +1541,7 @@ if($usergroup['showforumteam'] == 1) {- $form_container->output_cell($form->generate_numeric_field("disporder[{$usergroup['gid']}]", "{$usergroup['disporder']}", array('class' => 'align_center', 'style' => 'width:80%')), array("class" => "align_center"));+ $form_container->output_cell($form->generate_numeric_field("disporder[{$usergroup['gid']}]", "{$usergroup['disporder']}", array('min' => 0, 'class' => 'align_center', 'style' => 'width:80%')), array("class" => "align_center")); } else {
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$form_container->output_row($lang->can_manage_group_members, $lang->can_manage_group_members_desc, $form->generate_yes_no_radio('canmanagemembers', $mybb->input['canmanagemembers']));
$form_container->output_row($lang->can_manage_group_join_requests, $lang->can_manage_group_join_requests_desc, $form->generate_yes_no_radio('canmanagerequests', $mybb->input['canmanagerequests']));
$form_container->output_row($lang->can_invite_group_members, $lang->can_invite_group_members_desc, $form->generate_yes_no_radio('caninvitemembers', $mybb->input['caninvitemembers']));
```
Fixed Code
```php
$form_container->output_row($lang->can_manage_group_members, $lang->can_manage_group_members_desc, $form->generate_yes_no_radio('canmanagemembers', $mybb->get_input('canmanagemembers', MyBB::INPUT_INT)));
$form_container->output_row($lang->can_manage_group_join_requests, $lang->can_manage_group_join_requests_desc, $form->generate_yes_no_radio('canmanagerequests', $mybb->get_input('canmanagerequests', MyBB::INPUT_INT)));
$form_container->output_row($lang->can_invite_group_members, $lang->can_invite_group_members_desc, $form->generate_yes_no_radio('caninvitemembers', $mybb->get_input('caninvitemembers', MyBB::INPUT_INT)));
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$general_options[] = $form->generate_check_box("showmemberlist", 1, $lang->member_list, array("checked" => $mybb->input['showmemberlist']));
$general_options[] = $form->generate_check_box("showforumteam", 1, $lang->forum_team, array("checked" => $mybb->input['showforumteam']));
$general_options[] = $form->generate_check_box("isbannedgroup", 1, $lang->is_banned_group, array("checked" => $mybb->input['isbannedgroup']));
```
Fixed Code
```php
$general_options[] = $form->generate_check_box("showmemberlist", 1, $lang->member_list, array("checked" => $mybb->get_input('showmemberlist', MyBB::INPUT_INT)));
$general_options[] = $form->generate_check_box("showforumteam", 1, $lang->forum_team, array("checked" => $mybb->get_input('showforumteam', MyBB::INPUT_INT)));
$general_options[] = $form->generate_check_box("isbannedgroup", 1, $lang->is_banned_group, array("checked" => $mybb->get_input('isbannedgroup', MyBB::INPUT_INT)));
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$admin_options = array(
$form->generate_check_box("issupermod", 1, $lang->is_super_mod, array("checked" => $mybb->input['issupermod'])),
$form->generate_check_box("canmodcp", 1, $lang->can_access_mod_cp, array("checked" => $mybb->input['canmodcp'])),
$form->generate_check_box("cancp", 1, $lang->can_access_admin_cp, array("checked" => $mybb->input['cancp']))
);
```
Fixed Code
```php
$admin_options = array(
$form->generate_check_box("issupermod", 1, $lang->is_super_mod, array("checked" => $mybb->get_input('issupermod', MyBB::INPUT_INT))),
$form->generate_check_box("canmodcp", 1, $lang->can_access_mod_cp, array("checked" => $mybb->get_input('canmodcp', MyBB::INPUT_INT))),
$form->generate_check_box("cancp", 1, $lang->can_access_admin_cp, array("checked" => $mybb->get_input('cancp', MyBB::INPUT_INT)))
);
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$viewing_options = array(
$form->generate_check_box("canview", 1, $lang->can_view_board, array("checked" => $mybb->input['canview'])),
$form->generate_check_box("canviewthreads", 1, $lang->can_view_threads, array("checked" => $mybb->input['canviewthreads'])),
$form->generate_check_box("cansearch", 1, $lang->can_search_forums, array("checked" => $mybb->input['cansearch'])),
$form->generate_check_box("canviewprofiles", 1, $lang->can_view_profiles, array("checked" => $mybb->input['canviewprofiles'])),
$form->generate_check_box("candlattachments", 1, $lang->can_download_attachments, array("checked" => $mybb->input['candlattachments'])),
$form->generate_check_box("canviewboardclosed", 1, $lang->can_view_board_closed, array("checked" => $mybb->input['canviewboardclosed']))
);
```
Fixed Code
```php
$viewing_options = array(
$form->generate_check_box("canview", 1, $lang->can_view_board, array("checked" => $mybb->get_input('canview', MyBB::INPUT_INT))),
$form->generate_check_box("canviewthreads", 1, $lang->can_view_threads, array("checked" => $mybb->get_input('canviewthreads', MyBB::INPUT_INT))),
$form->generate_check_box("cansearch", 1, $lang->can_search_forums, array("checked" => $mybb->get_input('cansearch', MyBB::INPUT_INT))),
$form->generate_check_box("canviewprofiles", 1, $lang->can_view_profiles, array("checked" => $mybb->get_input('canviewprofiles', MyBB::INPUT_INT))),
$form->generate_check_box("candlattachments", 1, $lang->can_download_attachments, array("checked" => $mybb->get_input('candlattachments', MyBB::INPUT_INT))),
$form->generate_check_box("canviewboardclosed", 1, $lang->can_view_board_closed, array("checked" => $mybb->get_input('canviewboardclosed', MyBB::INPUT_INT)))
);
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$posting_options = array(
$form->generate_check_box("canpostthreads", 1, $lang->can_post_threads, array("checked" => $mybb->input['canpostthreads'])),
$form->generate_check_box("canpostreplys", 1, $lang->can_post_replies, array("checked" => $mybb->input['canpostreplys'])),
$form->generate_check_box("canratethreads", 1, $lang->can_rate_threads, array("checked" => $mybb->input['canratethreads'])),
```
Fixed Code
```php
$posting_options = array(
$form->generate_check_box("canpostthreads", 1, $lang->can_post_threads, array("checked" => $mybb->get_input('canpostthreads', MyBB::INPUT_INT))),
$form->generate_check_box("canpostreplys", 1, $lang->can_post_replies, array("checked" => $mybb->get_input('canpostreplys', MyBB::INPUT_INT))),
$form->generate_check_box("canratethreads", 1, $lang->can_rate_threads, array("checked" => $mybb->get_input('canratethreads', MyBB::INPUT_INT))),
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$moderator_options = array(
$form->generate_check_box("modposts", 1, $lang->mod_new_posts, array("checked" => $mybb->input['modposts'])),
$form->generate_check_box("modthreads", 1, $lang->mod_new_threads, array("checked" => $mybb->input['modthreads'])),
$form->generate_check_box("modattachments", 1, $lang->mod_new_attachments, array("checked" => $mybb->input['modattachments'])),
$form->generate_check_box("mod_edit_posts", 1, $lang->mod_after_edit, array("checked" => $mybb->input['mod_edit_posts']))
);
```
Fixed Code
```php
$moderator_options = array(
$form->generate_check_box("modposts", 1, $lang->mod_new_posts, array("checked" => $mybb->get_input('modposts', MyBB::INPUT_INT))),
$form->generate_check_box("modthreads", 1, $lang->mod_new_threads, array("checked" => $mybb->get_input('modthreads', MyBB::INPUT_INT))),
$form->generate_check_box("modattachments", 1, $lang->mod_new_attachments, array("checked" => $mybb->get_input('modattachments', MyBB::INPUT_INT))),
$form->generate_check_box("mod_edit_posts", 1, $lang->mod_after_edit, array("checked" => $mybb->get_input('mod_edit_posts', MyBB::INPUT_INT)))
);
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$poll_options = array(
$form->generate_check_box("canpostpolls", 1, $lang->can_post_polls, array("checked" => $mybb->input['canpostpolls'])),
$form->generate_check_box("canvotepolls", 1, $lang->can_vote_polls, array("checked" => $mybb->input['canvotepolls'])),
$form->generate_check_box("canundovotes", 1, $lang->can_undo_votes, array("checked" => $mybb->input['canundovotes']))
);
```
Fixed Code
```php
$poll_options = array(
$form->generate_check_box("canpostpolls", 1, $lang->can_post_polls, array("checked" => $mybb->get_input('canpostpolls', MyBB::INPUT_INT))),
$form->generate_check_box("canvotepolls", 1, $lang->can_vote_polls, array("checked" => $mybb->get_input('canvotepolls', MyBB::INPUT_INT))),
$form->generate_check_box("canundovotes", 1, $lang->can_undo_votes, array("checked" => $mybb->get_input('canundovotes', MyBB::INPUT_INT)))
);
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$editing_options = array(
$form->generate_check_box("caneditposts", 1, $lang->can_edit_posts, array("checked" => $mybb->input['caneditposts'])),
$form->generate_check_box("candeleteposts", 1, $lang->can_delete_posts, array("checked" => $mybb->input['candeleteposts'])),
$form->generate_check_box("candeletethreads", 1, $lang->can_delete_threads, array("checked" => $mybb->input['candeletethreads'])),
$form->generate_check_box("caneditattachments", 1, $lang->can_edit_attachments, array("checked" => $mybb->input['caneditattachments'])),
$form->generate_check_box("canviewdeletionnotice", 1, $lang->can_view_deletion_notices, array("checked" => $mybb->input['canviewdeletionnotice'])),
```
Fixed Code
```php
$editing_options = array(
$form->generate_check_box("caneditposts", 1, $lang->can_edit_posts, array("checked" => $mybb->get_input('caneditposts', MyBB::INPUT_INT))),
$form->generate_check_box("candeleteposts", 1, $lang->can_delete_posts, array("checked" => $mybb->get_input('candeleteposts', MyBB::INPUT_INT))),
$form->generate_check_box("candeletethreads", 1, $lang->can_delete_threads, array("checked" => $mybb->get_input('candeletethreads', MyBB::INPUT_INT))),
$form->generate_check_box("caneditattachments", 1, $lang->can_edit_attachments, array("checked" => $mybb->get_input('caneditattachments', MyBB::INPUT_INT))),
$form->generate_check_box("canviewdeletionnotice", 1, $lang->can_view_deletion_notices, array("checked" => $mybb->get_input('canviewdeletionnotice', MyBB::INPUT_INT))),
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$account_options = array(
$form->generate_check_box("canbereported", 1, $lang->can_be_reported, array("checked" => $mybb->input['canbereported'])),
$form->generate_check_box("canbeinvisible", 1, $lang->can_be_invisible, array("checked" => $mybb->input['canbeinvisible'])),
$form->generate_check_box("canusercp", 1, $lang->can_access_usercp, array("checked" => $mybb->input['canusercp'])),
$form->generate_check_box("canchangename", 1, $lang->can_change_username, array("checked" => $mybb->input['canchangename'])),
$form->generate_check_box("cancustomtitle", 1, $lang->can_use_usertitles, array("checked" => $mybb->input['cancustomtitle'])),
$form->generate_check_box("canuploadavatars", 1, $lang->can_upload_avatars, array("checked" => $mybb->input['canuploadavatars'])),
$form->generate_check_box("canusesig", 1, $lang->can_use_signature, array("checked" => $mybb->input['canusesig'])),
$form->generate_check_box("signofollow", 1, $lang->uses_no_follow, array("checked" => $mybb->input['signofollow'])),
$form->generate_check_box("canchangewebsite", 1, $lang->can_change_website, array("checked" => $mybb->input['canchangewebsite'])),
```
Fixed Code
```php
$account_options = array(
$form->generate_check_box("canbereported", 1, $lang->can_be_reported, array("checked" => $mybb->get_input('canbereported', MyBB::INPUT_INT))),
$form->generate_check_box("canbeinvisible", 1, $lang->can_be_invisible, array("checked" => $mybb->get_input('canbeinvisible', MyBB::INPUT_INT))),
$form->generate_check_box("canusercp", 1, $lang->can_access_usercp, array("checked" => $mybb->get_input('canusercp', MyBB::INPUT_INT))),
$form->generate_check_box("canchangename", 1, $lang->can_change_username, array("checked" => $mybb->get_input('canchangename', MyBB::INPUT_INT))),
$form->generate_check_box("cancustomtitle", 1, $lang->can_use_usertitles, array("checked" => $mybb->get_input('cancustomtitle', MyBB::INPUT_INT))),
$form->generate_check_box("canuploadavatars", 1, $lang->can_upload_avatars, array("checked" => $mybb->get_input('canuploadavatars', MyBB::INPUT_INT))),
$form->generate_check_box("canusesig", 1, $lang->can_use_signature, array("checked" => $mybb->get_input('canusesig', MyBB::INPUT_INT))),
$form->generate_check_box("signofollow", 1, $lang->uses_no_follow, array("checked" => $mybb->get_input('signofollow', MyBB::INPUT_INT))),
$form->generate_check_box("canchangewebsite", 1, $lang->can_change_website, array("checked" => $mybb->get_input('canchangewebsite', MyBB::INPUT_INT))),
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$reputation_options = array(
$form->generate_check_box("usereputationsystem", 1, $lang->show_reputations, array("checked" => $mybb->input['usereputationsystem'])),
$form->generate_check_box("cangivereputations", 1, $lang->can_give_reputation, array("checked" => $mybb->input['cangivereputations'])),
$form->generate_check_box("candeletereputations", 1, $lang->can_delete_own_reputation, array("checked" => $mybb->input['candeletereputations'])),
```
Fixed Code
```php
$reputation_options = array(
$form->generate_check_box("usereputationsystem", 1, $lang->show_reputations, array("checked" => $mybb->get_input('usereputationsystem', MyBB::INPUT_INT))),
$form->generate_check_box("cangivereputations", 1, $lang->can_give_reputation, array("checked" => $mybb->get_input('cangivereputations', MyBB::INPUT_INT))),
$form->generate_check_box("candeletereputations", 1, $lang->can_delete_own_reputation, array("checked" => $mybb->get_input('candeletereputations', MyBB::INPUT_INT))),
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$warning_options = array(
$form->generate_check_box("canwarnusers", 1, $lang->can_send_warnings, array("checked" => $mybb->input['canwarnusers'])),
$form->generate_check_box("canreceivewarnings", 1, $lang->can_receive_warnings, array("checked" => $mybb->input['canreceivewarnings'])),
```
Fixed Code
```php
$warning_options = array(
$form->generate_check_box("canwarnusers", 1, $lang->can_send_warnings, array("checked" => $mybb->get_input('canwarnusers', MyBB::INPUT_INT))),
$form->generate_check_box("canreceivewarnings", 1, $lang->can_receive_warnings, array("checked" => $mybb->get_input('canreceivewarnings', MyBB::INPUT_INT))),
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$pm_options = array(
$form->generate_check_box("canusepms", 1, $lang->can_use_pms, array("checked" => $mybb->input['canusepms'])),
$form->generate_check_box("cansendpms", 1, $lang->can_send_pms, array("checked" => $mybb->input['cansendpms'])),
$form->generate_check_box("canoverridepm", 1, $lang->can_override_pms, array("checked" => $mybb->input['canoverridepm'])),
$form->generate_check_box("cantrackpms", 1, $lang->can_track_pms, array("checked" => $mybb->input['cantrackpms'])),
$form->generate_check_box("candenypmreceipts", 1, $lang->can_deny_reciept, array("checked" => $mybb->input['candenypmreceipts'])),
```
Fixed Code
```php
$pm_options = array(
$form->generate_check_box("canusepms", 1, $lang->can_use_pms, array("checked" => $mybb->get_input('canusepms', MyBB::INPUT_INT))),
$form->generate_check_box("cansendpms", 1, $lang->can_send_pms, array("checked" => $mybb->get_input('cansendpms', MyBB::INPUT_INT))),
$form->generate_check_box("canoverridepm", 1, $lang->can_override_pms, array("checked" => $mybb->get_input('canoverridepm', MyBB::INPUT_INT))),
$form->generate_check_box("cantrackpms", 1, $lang->can_track_pms, array("checked" => $mybb->get_input('cantrackpms', MyBB::INPUT_INT))),
$form->generate_check_box("candenypmreceipts", 1, $lang->can_deny_reciept, array("checked" => $mybb->get_input('candenypmreceipts', MyBB::INPUT_INT))),
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$calendar_options = array(
$form->generate_check_box("canviewcalendar", 1, $lang->can_view_calendar, array("checked" => $mybb->input['canviewcalendar'])),
$form->generate_check_box("canaddevents", 1, $lang->can_post_events, array("checked" => $mybb->input['canaddevents'])),
$form->generate_check_box("canbypasseventmod", 1, $lang->can_bypass_event_moderation, array("checked" => $mybb->input['canbypasseventmod'])),
$form->generate_check_box("canmoderateevents", 1, $lang->can_moderate_events, array("checked" => $mybb->input['canmoderateevents']))
);
```
Fixed Code
```php
$calendar_options = array(
$form->generate_check_box("canviewcalendar", 1, $lang->can_view_calendar, array("checked" => $mybb->get_input('canviewcalendar', MyBB::INPUT_INT))),
$form->generate_check_box("canaddevents", 1, $lang->can_post_events, array("checked" => $mybb->get_input('canaddevents', MyBB::INPUT_INT))),
$form->generate_check_box("canbypasseventmod", 1, $lang->can_bypass_event_moderation, array("checked" => $mybb->get_input('canbypasseventmod', MyBB::INPUT_INT))),
$form->generate_check_box("canmoderateevents", 1, $lang->can_moderate_events, array("checked" => $mybb->get_input('canmoderateevents', MyBB::INPUT_INT)))
);
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$wol_options = array(
$form->generate_check_box("canviewonline", 1, $lang->can_view_whos_online, array("checked" => $mybb->input['canviewonline'])),
$form->generate_check_box("canviewwolinvis", 1, $lang->can_view_invisible, array("checked" => $mybb->input['canviewwolinvis'])),
$form->generate_check_box("canviewonlineips", 1, $lang->can_view_ips, array("checked" => $mybb->input['canviewonlineips']))
);
```
Fixed Code
```php
$wol_options = array(
$form->generate_check_box("canviewonline", 1, $lang->can_view_whos_online, array("checked" => $mybb->get_input('canviewonline', MyBB::INPUT_INT))),
$form->generate_check_box("canviewwolinvis", 1, $lang->can_view_invisible, array("checked" => $mybb->get_input('canviewwolinvis', MyBB::INPUT_INT))),
$form->generate_check_box("canviewonlineips", 1, $lang->can_view_ips, array("checked" => $mybb->get_input('canviewonlineips', MyBB::INPUT_INT)))
);
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$misc_options = array(
$form->generate_check_box("canviewmemberlist", 1, $lang->can_view_member_list, array("checked" => $mybb->input['canviewmemberlist'])),
$form->generate_check_box("showinbirthdaylist", 1, $lang->show_in_birthday_list, array("checked" => $mybb->input['showinbirthdaylist'])),
$form->generate_check_box("cansendemail", 1, $lang->can_email_users, array("checked" => $mybb->input['cansendemail'])),
$form->generate_check_box("cansendemailoverride", 1, $lang->can_email_users_override, array("checked" => $mybb->input['cansendemailoverride'])),
```
Fixed Code
```php
$misc_options = array(
$form->generate_check_box("canviewmemberlist", 1, $lang->can_view_member_list, array("checked" => $mybb->get_input('canviewmemberlist', MyBB::INPUT_INT))),
$form->generate_check_box("showinbirthdaylist", 1, $lang->show_in_birthday_list, array("checked" => $mybb->get_input('showinbirthdaylist', MyBB::INPUT_INT))),
$form->generate_check_box("cansendemail", 1, $lang->can_email_users, array("checked" => $mybb->get_input('cansendemail', MyBB::INPUT_INT))),
$form->generate_check_box("cansendemailoverride", 1, $lang->can_email_users_override, array("checked" => $mybb->get_input('cansendemailoverride', MyBB::INPUT_INT))),
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$forum_post_options = array(
$form->generate_check_box("canmanageannounce", 1, $lang->can_manage_announce, array("checked" => $mybb->input['canmanageannounce'])),
$form->generate_check_box("canmanagemodqueue", 1, $lang->can_manage_mod_queue, array("checked" => $mybb->input['canmanagemodqueue'])),
$form->generate_check_box("canmanagereportedcontent", 1, $lang->can_manage_reported_content, array("checked" => $mybb->input['canmanagereportedcontent'])),
$form->generate_check_box("canviewmodlogs", 1, $lang->can_view_mod_logs, array("checked" => $mybb->input['canviewmodlogs']))
);
```
Fixed Code
```php
$forum_post_options = array(
$form->generate_check_box("canmanageannounce", 1, $lang->can_manage_announce, array("checked" => $mybb->get_input('canmanageannounce', MyBB::INPUT_INT))),
$form->generate_check_box("canmanagemodqueue", 1, $lang->can_manage_mod_queue, array("checked" => $mybb->get_input('canmanagemodqueue', MyBB::INPUT_INT))),
$form->generate_check_box("canmanagereportedcontent", 1, $lang->can_manage_reported_content, array("checked" => $mybb->get_input('canmanagereportedcontent', MyBB::INPUT_INT))),
$form->generate_check_box("canviewmodlogs", 1, $lang->can_view_mod_logs, array("checked" => $mybb->get_input('canviewmodlogs', MyBB::INPUT_INT)))
);
```
Vulnerability Existed: yes
Type Confusion / Input Validation Vulnerability Upload/admin/modules/user/groups.php Multiple Lines
Old Code
```php
$user_options = array(
$form->generate_check_box("caneditprofiles", 1, $lang->can_edit_profiles, array("checked" => $mybb->input['caneditprofiles'])),
$form->generate_check_box("canbanusers", 1, $lang->can_ban_users, array("checked" => $mybb->input['canbanusers'])),
$form->generate_check_box("canviewwarnlogs", 1, $lang->can_view_warnlogs, array("checked" => $mybb->input['canviewwarnlogs'])),
$form->generate_check_box("canuseipsearch", 1, $lang->can_use_ipsearch, array("checked" => $mybb->input['canuseipsearch']))
);
```
Fixed Code
```php
$user_options = array(
$form->generate_check_box("caneditprofiles", 1, $lang->can_edit_profiles, array("checked" => $mybb->get_input('caneditprofiles', MyBB::INPUT_INT))),
$form->generate_check_box("canbanusers", 1, $lang->can_ban_users, array("checked" => $mybb->get_input('canbanusers', MyBB::INPUT_INT))),
$form->generate_check_box("canviewwarnlogs", 1, $lang->can_view_warnlogs, array("checked" => $mybb->get_input('canviewwarnlogs', MyBB::INPUT_INT))),
$form->generate_check_box("canuseipsearch", 1, $lang->can_use_ipsearch, array("checked" => $mybb->get_input('canuseipsearch', MyBB::INPUT_INT)))
);
```
Vulnerability Existed: yes
Input Validation Vulnerability Upload/admin/modules/user/groups.php Lines 1377-1385
Old Code
```php
if($gid != 0 && $order != 0)
{
$sql_array = array(
'disporder' => $order,
);
$db->update_query("usergroups", $sql_array, "gid='{$gid}'");
}
```
Fixed Code
```php
if($gid != 0 && $order > 0)
{
$sql_array = array(
'disporder' => $order,
);
$db->update_query("usergroups", $sql_array, "gid='{$gid}'");
}
```
Vulnerability Existed: yes
Input Validation Vulnerability Upload/admin/modules/user/groups.php Lines 1405-1407
Old Code
```php
foreach($mybb->input['disporder'] as $gid => $order)
{
$db->update_query("usergroups", array('disporder' => (int)$order), "gid='".(int)$gid."'");
}
```
Fixed Code
```php
foreach($mybb->input['disporder'] as $gid => $order)
{
if(is_numeric($order) && (int)$order >= 0)
{
$db->update_query("usergroups", array('disporder' => (int)$order), "gid='".(int)$gid."'");
}
}
```
Vulnerability Existed: yes
Input Validation Vulnerability Upload/admin/modules/user/groups.php Line 1541
Old Code
```php
$form_container->output_cell($form->generate_numeric_field("disporder[{$usergroup['gid']}]", "{$usergroup['disporder']}", array('class' => 'align_center', 'style' => 'width:80%')), array("class" => "align_center"));
```
Fixed Code
```php
$form_container->output_cell($form->generate_numeric_field("disporder[{$usergroup['gid']}]", "{$usergroup['disporder']}", array('min' => 0, 'class' => 'align_center', 'style' => 'width:80%')), array("class" => "align_center"));
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/admin/modules/user/users.php+++ /root/PatchLeaks-main/products/1839/Upload/admin/modules/user/users.php@@ -519,7 +519,6 @@ "profile_fields" => $mybb->get_input('profile_fields', MyBB::INPUT_ARRAY), "profile_fields_editable" => true, "website" => $mybb->get_input('website'),- "icq" => $mybb->get_input('icq'), "skype" => $mybb->get_input('skype'), "google" => $mybb->get_input('google'), "birthday" => array(@@ -590,7 +589,7 @@ // Set the data of the user in the datahandler. $userhandler->set_data($updated_user);- $errors = '';+ $errors = array(); // Validate the user and get any errors that might have occurred. if(!$userhandler->validate_user())@@ -1175,7 +1174,6 @@ $form_container = new FormContainer($lang->optional_profile_info.': '.htmlspecialchars_uni($user['username'])); $form_container->output_row($lang->custom_user_title, $lang->custom_user_title_desc, $form->generate_text_box('usertitle', $mybb->get_input('usertitle'), array('id' => 'usertitle')), 'usertitle'); $form_container->output_row($lang->website, "", $form->generate_text_box('website', $mybb->get_input('website'), array('id' => 'website')), 'website');- $form_container->output_row($lang->icq_number, "", $form->generate_numeric_field('icq', $mybb->get_input('icq'), array('id' => 'icq', 'min' => 0)), 'icq'); $form_container->output_row($lang->skype_handle, "", $form->generate_text_box('skype', $mybb->get_input('skype'), array('id' => 'skype')), 'skype'); $form_container->output_row($lang->google_handle, "", $form->generate_text_box('google', $mybb->get_input('google'), array('id' => 'google')), 'google');@@ -2729,7 +2727,7 @@ } else {- if($mybb->input['processed'] == 1)+ if(isset($mybb->input['processed'])) { // Set up user handler. require_once MYBB_ROOT.'inc/datahandlers/user.php';@@ -3312,7 +3310,7 @@ // Build the search SQL for users // List of valid LIKE search fields- $user_like_fields = array("username", "email", "website", "icq", "skype", "google", "signature", "usertitle");+ $user_like_fields = array("username", "email", "website", "skype", "google", "signature", "usertitle"); foreach($user_like_fields as $search_field) { if(!empty($view['conditions'][$search_field]) && empty($view['conditions'][$search_field.'_blank']))@@ -4220,7 +4218,7 @@ $input['conditions'] = (array)my_unserialize($input['conditions']); }- $array = array('username', 'email', 'usergroup', 'website', 'website_blank', 'icq', 'icq_blank', 'skype', 'skype_blank', 'google', 'google_blank', 'signature', 'signature_blank', 'usertitle', 'usertitle_blank', 'postnum_dir', 'postnum', 'threadnum_dir', 'threadnum', 'regdate', 'regip', 'lastip', 'postip');+ $array = array('username', 'email', 'usergroup', 'website', 'website_blank', 'skype', 'skype_blank', 'google', 'google_blank', 'signature', 'signature_blank', 'usertitle', 'usertitle_blank', 'postnum_dir', 'postnum', 'threadnum_dir', 'threadnum', 'regdate', 'regip', 'lastip', 'postip'); foreach($array as $condition) { if(!isset($input['conditions'][$condition]))@@ -4263,7 +4261,6 @@ $form_container->output_row($lang->is_member_of_groups, $lang->additional_user_groups_desc, $form->generate_select_box('conditions[usergroup][]', $options, $input['conditions']['usergroup'], array('id' => 'usergroups', 'multiple' => true, 'size' => 5)), 'usergroups'); $form_container->output_row($lang->website_contains, "", $form->generate_text_box('conditions[website]', $input['conditions']['website'], array('id' => 'website'))." {$lang->or} ".$form->generate_check_box('conditions[website_blank]', 1, $lang->is_not_blank, array('id' => 'website_blank', 'checked' => $input['conditions']['website_blank'])), 'website');- $form_container->output_row($lang->icq_number_contains, "", $form->generate_text_box('conditions[icq]', $input['conditions']['icq'], array('id' => 'icq'))." {$lang->or} ".$form->generate_check_box('conditions[icq_blank]', 1, $lang->is_not_blank, array('id' => 'icq_blank', 'checked' => $input['conditions']['icq_blank'])), 'icq'); $form_container->output_row($lang->skype_contains, "", $form->generate_text_box('conditions[skype]', $input['conditions']['skype'], array('id' => 'skype'))." {$lang->or} ".$form->generate_check_box('conditions[skype_blank]', 1, $lang->is_not_blank, array('id' => 'skype_blank', 'checked' => $input['conditions']['skype_blank'])), 'skype'); $form_container->output_row($lang->google_contains, "", $form->generate_text_box('conditions[google]', $input['conditions']['google'], array('id' => 'google'))." {$lang->or} ".$form->generate_check_box('conditions[google_blank]', 1, $lang->is_not_blank, array('id' => 'google_blank', 'checked' => $input['conditions']['google_blank'])), 'google'); $form_container->output_row($lang->signature_contains, "", $form->generate_text_box('conditions[signature]', $input['conditions']['signature'], array('id' => 'signature'))." {$lang->or} ".$form->generate_check_box('conditions[signature_blank]', 1, $lang->is_not_blank, array('id' => 'signature_blank', 'checked' => $input['conditions']['signature_blank'])), 'signature');
Vulnerability Existed: yes
Cross-Site Scripting (XSS) via ICQ Field [File] [Lines 1175-1175]
[Old Code]
```php
$form_container->output_row($lang->icq_number, "", $form->generate_numeric_field('icq', $mybb->get_input('icq'), array('id' => 'icq', 'min' => 0)), 'icq');
```
[Fixed Code]
```php
// Line removed entirely
```
Vulnerability Existed: yes
Insecure Direct Object Reference (IDOR) / Access Control [File] [Lines 2729-2729]
[Old Code]
```php
if($mybb->input['processed'] == 1)
```
[Fixed Code]
```php
if(isset($mybb->input['processed']))
```
Vulnerability Existed: yes
Improper Input Validation [File] [Lines 590-590]
[Old Code]
```php
$errors = '';
```
[Fixed Code]
```php
$errors = array();
```
Vulnerability Existed: yes
Information Disclosure via Search Functionality [File] [Lines 3312-3312]
[Old Code]
```php
$user_like_fields = array("username", "email", "website", "icq", "skype", "google", "signature", "usertitle");
```
[Fixed Code]
```php
$user_like_fields = array("username", "email", "website", "skype", "google", "signature", "usertitle");
```
Note: The primary security issue appears to be the removal of ICQ field handling throughout the codebase, which could have been vulnerable to XSS attacks despite numeric field validation. The other changes improve security by fixing potential type confusion, adding proper input validation, and removing ICQ from search fields to prevent information disclosure.
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/editpost.php+++ /root/PatchLeaks-main/products/1839/Upload/editpost.php@@ -192,7 +192,7 @@ } $attacherror = '';-if($mybb->settings['enableattachments'] == 1 && ($mybb->get_input('newattachment') || $mybb->get_input('updateattachment') || ((($mybb->input['action'] == "do_editpost" && isset($mybb->input['submitbutton'])) || ($mybb->input['action'] == "editpost" && isset($mybb->input['previewpost']))) && $_FILES['attachments'])))+if($mybb->settings['enableattachments'] == 1 && ($mybb->get_input('newattachment') || $mybb->get_input('updateattachment') || ((($mybb->input['action'] == "do_editpost" && isset($mybb->input['submitbutton'])) || ($mybb->input['action'] == "editpost" && isset($mybb->input['previewpost']))) && isset($_FILES['attachments'])))) { // Verify incoming POST request verify_post_check($mybb->get_input('my_post_key'));@@ -231,7 +231,7 @@ $usage = $db->fetch_array($query); $ret['usage'] = get_friendly_size($usage['ausage']); }- + header("Content-type: application/json; charset={$lang->settings['charset']}"); echo json_encode($ret); exit();@@ -603,10 +603,7 @@ $plugins->run_hooks("editpost_action_start"); $preview = '';- if(!isset($mybb->input['previewpost']))- {- $icon = $post['icon'];- }+ $posticons = ''; if($forum['allowpicons'] != 0) {@@ -617,7 +614,7 @@ eval("\$loginbox = \"".$templates->get("changeuserbox")."\";"); $deletebox = '';- + if(isset($post['visible']) && $post['visible'] != -1 && (($thread['firstpost'] == $pid && (is_moderator($fid, "candeletethreads") || $forumpermissions['candeletethreads'] == 1 && $mybb->user['uid'] == $post['uid'])) || ($thread['firstpost'] != $pid && (is_moderator($fid, "candeleteposts") || $forumpermissions['candeleteposts'] == 1 && $mybb->user['uid'] == $post['uid'])))) { eval("\$deletebox = \"".$templates->get("editpost_delete")."\";");@@ -700,13 +697,13 @@ $lang->attach_usage = ""; }+ $attach_add_options = '';+ if($mybb->settings['maxattachments'] == 0 || ($mybb->settings['maxattachments'] != 0 && $attachcount < $mybb->settings['maxattachments']) && !$noshowattach)+ {+ eval("\$attach_add_options = \"".$templates->get("post_attachments_add")."\";");+ }+ $attach_update_options = '';-- if($mybb->settings['maxattachments'] == 0 || ($mybb->settings['maxattachments'] != 0 && $attachcount < $mybb->settings['maxattachments']) && !$noshowattach)- {- eval("\$attach_add_options = \"".$templates->get("post_attachments_add")."\";");- }- if(($mybb->usergroup['caneditattachments'] || $forumpermissions['caneditattachments']) && $attachcount > 0) { eval("\$attach_update_options = \"".$templates->get("post_attachments_update")."\";");@@ -812,7 +809,7 @@ { $postoptionschecked['disablesmilies'] = " checked=\"checked\""; }- + $subscription_method = get_subscription_method($tid, $postoptions); ${$subscription_method.'subscribe'} = "checked=\"checked\" "; }@@ -854,7 +851,7 @@ // Set the values of the post info array. $postinfo['message'] = $previewmessage; $postinfo['subject'] = $previewsubject;- $postinfo['icon'] = $icon;+ $postinfo['icon'] = $post['icon']; $postinfo['smilieoff'] = $postoptions['disablesmilies']; $postbit = build_postbit($postinfo, 1);@@ -918,17 +915,17 @@ $lang->max_options = $lang->sprintf($lang->max_options, $mybb->settings['maxpolloptions']); $numpolloptions = $mybb->get_input('numpolloptions', MyBB::INPUT_INT); $postpollchecked = '';- + if($numpolloptions < 1) { $numpolloptions = 2; }- + if($mybb->get_input('postpoll', MyBB::INPUT_INT) == 1) { $postpollchecked = 'checked="checked"'; }- + eval("\$pollbox = \"".$templates->get("newthread_postpoll")."\";"); } else
Vulnerability Existed: yes
Unvalidated File Upload [editpost.php] [192]
[Old Code]
```php
if($mybb->settings['enableattachments'] == 1 && ($mybb->get_input('newattachment') || $mybb->get_input('updateattachment') || ((($mybb->input['action'] == "do_editpost" && isset($mybb->input['submitbutton'])) || ($mybb->input['action'] == "editpost" && isset($mybb->input['previewpost']))) && $_FILES['attachments'])))
```
[Fixed Code]
```php
if($mybb->settings['enableattachments'] == 1 && ($mybb->get_input('newattachment') || $mybb->get_input('updateattachment') || ((($mybb->input['action'] == "do_editpost" && isset($mybb->input['submitbutton'])) || ($mybb->input['action'] == "editpost" && isset($mybb->input['previewpost']))) && isset($_FILES['attachments']))))
```
Vulnerability Existed: not sure
Potential Information Disclosure [editpost.php] [603-605]
[Old Code]
```php
if(!isset($mybb->input['previewpost']))
{
$icon = $post['icon'];
}
```
[Fixed Code]
```php
$posticons = '';
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/forumdisplay.php+++ /root/PatchLeaks-main/products/1839/Upload/forumdisplay.php@@ -798,7 +798,7 @@ $bgcolor = alt_trow(true); // Reset the trow colors while($announcement = $db->fetch_array($query)) {- if($announcement['startdate'] > $mybb->user['lastvisit'] && !$cookie[$announcement['aid']])+ if($announcement['startdate'] > $mybb->user['lastvisit'] && !isset($cookie[$announcement['aid']])) { $new_class = ' class="subject_new"'; $folder = "newfolder";
Vulnerability Existed: yes SQL Injection [File: Upload/forumdisplay.php] [Lines: 798] [Old Code] ```php if($announcement['startdate'] > $mybb->user['lastvisit'] && !$cookie[$announcement['aid']]) ``` [Fixed Code] ```php if($announcement['startdate'] > $mybb->user['lastvisit'] && !isset($cookie[$announcement['aid']])) ```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/class_core.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/class_core.php@@ -14,14 +14,14 @@ * * @var string */- public $version = "1.8.38";+ public $version = "1.8.39"; /** * The version code of MyBB we're running. * * @var integer */- public $version_code = 1838;+ public $version_code = 1839; /** * The current working directory.@@ -277,11 +277,11 @@ $this->parse_incoming($_GET); $this->parse_incoming($_POST);- if($_SERVER['REQUEST_METHOD'] == "POST")+ if(isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] == "POST") { $this->request_method = "post"; }- else if($_SERVER['REQUEST_METHOD'] == "GET")+ else { $this->request_method = "get"; }
Vulnerability Existed: yes
Potential Server-Side Request Forgery (SSRF) or Information Disclosure [File] [Lines 277-284]
[Old Code]
```php
if($_SERVER['REQUEST_METHOD'] == "POST")
{
$this->request_method = "post";
}
else if($_SERVER['REQUEST_METHOD'] == "GET")
{
$this->request_method = "get";
}
```
[Fixed Code]
```php
if(isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] == "POST")
{
$this->request_method = "post";
}
else
{
$this->request_method = "get";
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/class_datacache.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/class_datacache.php@@ -644,7 +644,14 @@ */ private function build_forum_permissions($permissions=array(), $pid=0) {- $usergroups = array_keys($this->read("usergroups", true));+ $usergroups = $this->read("usergroups", true);++ if($usergroups === false) + {+ $usergroups = array(); + }+ + $usergroups = array_keys($usergroups); if(!empty($this->forum_permissions_forum_cache[$pid])) { foreach($this->forum_permissions_forum_cache[$pid] as $main)
Vulnerability Existed: not sure
Potential Type Confusion / Array Handling [File] Upload/inc/class_datacache.php [Lines] 644
[Old Code]
```php
$usergroups = array_keys($this->read("usergroups", true));
```
[Fixed Code]
```php
$usergroups = $this->read("usergroups", true);
if($usergroups === false)
{
$usergroups = array();
}
$usergroups = array_keys($usergroups);
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/class_error.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/class_error.php@@ -61,7 +61,6 @@ E_USER_WARNING => 'User Warning', E_USER_NOTICE => 'User Notice', E_USER_DEPRECATED => 'User Deprecated Warning',- E_STRICT => 'Runtime Notice', E_RECOVERABLE_ERROR => 'Catchable Fatal Error', MYBB_SQL => 'MyBB SQL Error', MYBB_TEMPLATE => 'MyBB Template Error',@@ -100,7 +99,6 @@ E_DEPRECATED, E_NOTICE, E_USER_NOTICE,- E_STRICT ); /**@@ -130,6 +128,12 @@ */ function __construct() {+ if(version_compare(PHP_VERSION, '7.0', '<'))+ {+ $this->error_types[E_STRICT] = 'Runtime Notice';+ $this->ignore_types[] = E_STRICT;+ }+ // Lets set the error handler in here so we can just do $handler = new errorHandler() and be all set up. $error_types = E_ALL; foreach($this->ignore_types as $bit)
Vulnerability Existed: not sure
Potential Information Disclosure [File] [Lines 61, 100, 130-134]
[Old Code]
```php
E_STRICT => 'Runtime Notice',
...
E_STRICT
```
[Fixed Code]
```php
// E_STRICT removed from main arrays
if(version_compare(PHP_VERSION, '7.0', '<'))
{
$this->error_types[E_STRICT] = 'Runtime Notice';
$this->ignore_types[] = E_STRICT;
}
```
Vulnerability Existed: not sure
Potential Error Handling Bypass [File] [Lines 130-134]
[Old Code]
```php
function __construct()
{
// No version-specific error type handling
```
[Fixed Code]
```php
function __construct()
{
if(version_compare(PHP_VERSION, '7.0', '<'))
{
$this->error_types[E_STRICT] = 'Runtime Notice';
$this->ignore_types[] = E_STRICT;
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/class_mailhandler.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/class_mailhandler.php@@ -113,25 +113,26 @@ public $code = 0; /**- * Selects between AdminEmail and ReturnEmail, dependant on if ReturnEmail is filled.- * - * @return string- */- function get_from_email()+ * Returns the appropriate email address based on the type.+ *+ * @param string $type The type of email address to return. + * @return string The selected email address.+ */ + function get_email($type='from') { global $mybb;- - if(trim($mybb->settings['returnemail']))- {- $email = $mybb->settings['returnemail'];- }- else- {- $email = $mybb->settings['adminemail'];- }- - return $email;- }+ + if($type === 'reply-to') + {+ if(isset($mybb->settings['returnemail']) && trim($mybb->settings['returnemail'])) + {+ return $mybb->settings['returnemail'];+ }+ }+ + // Fallback or 'from' case+ return $mybb->settings['adminemail'];+ } /** * Builds the whole mail.@@ -161,7 +162,7 @@ } else {- $this->from = $this->get_from_email();+ $this->from = $this->get_email('from'); $this->from_named = '"'.$this->utf8_encode($mybb->settings['bbname']).'"'; $this->from_named .= " <".$this->from.">"; }@@ -172,7 +173,7 @@ } else {- $this->return_email = $this->get_from_email();+ $this->return_email = $this->get_email('reply-to'); } $this->set_to($to);
Vulnerability Existed: yes
Email Spoofing Vulnerability Upload/inc/class_mailhandler.php Lines 113-133
[Old Code]
```php
function get_from_email()
{
global $mybb;
if(trim($mybb->settings['returnemail']))
{
$email = $mybb->settings['returnemail'];
}
else
{
$email = $mybb->settings['adminemail'];
}
return $email;
}
```
[Fixed Code]
```php
function get_email($type='from')
{
global $mybb;
if($type === 'reply-to')
{
if(isset($mybb->settings['returnemail']) && trim($mybb->settings['returnemail']))
{
return $mybb->settings['returnemail'];
}
}
// Fallback or 'from' case
return $mybb->settings['adminemail'];
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/class_parser.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/class_parser.php@@ -1115,8 +1115,10 @@ $code = @highlight_string($str, true); // Do the actual replacing.+ $code = preg_replace('#<pre><code style="color: \#000000">#i', "<code>", $code); $code = preg_replace('#<code>\s*<span style="color: \#000000">\s*#i', "<code>", $code); $code = preg_replace("#</span>\s*</code>#", "</code>", $code);+ $code = preg_replace("#</code>\s*</pre>#", "</code>", $code); $code = preg_replace("#</span>(\r\n?|\n?)</code>#", "</span></code>", $code); $code = str_replace("\\", '\', $code); $code = str_replace('$', '$', $code);@@ -1124,7 +1126,7 @@ if($added_open_tag) {- $code = preg_replace("#<code><span style=\"color: \#([A-Z0-9]{6})\"><\?php( | )(<br />?)#", "<code><span style=\"color: #$1\">", $code);+ $code = preg_replace("#<code><span style=\"color: \#([A-Z0-9]{6})\"><\?php( | )(<br />|\n)#", "<code><span style=\"color: #$1\">", $code); } if($added_end_tag)@@ -1691,8 +1693,16 @@ */ function mycode_auto_url($message) {- // Links should end with slashes, numbers, characters and braces but not with dots, commas or question marks- // Don't create links within existing links (handled up-front in the callback function).+ /*+ * Don't create links:+ * - within existing links (any <a> HTML tag must be returned as-is)+ * - within HTML tags (must not be followed by a > character without a matching < after the link)+ *+ * Don't include:+ * - common punctuation characters around the link+ * - braces that likely constitute punctuation around the particular link (handled in the callback function)+ * - partial HTML entities (https://github.com/mybb/mybb/issues/4303)+ */ $message = preg_replace_callback( "~ <a\\s[^>]*>.*?</a>| # match and return existing links@@ -1702,10 +1712,19 @@ (?:www|ftp)\. # common subdomain ) (?P<link>- (?:[^\/\"\s\<\[\.]+\.)*[\w]+ # host- (?::[0-9]+)? # port- (?:/(?:[^\"\s<\[&]|\[\]|&(?:amp|lt|gt);)*)? # path, query, fragment; exclude unencoded characters- [\w\/\)]+ (?:+ \[[0-9a-fA-F:]+(?:%[0-9a-zA-Z._-]+)?\]| # IPv6 address with optional zone+ (?:\d{1,3}\.){3}\d{1,3}| # IPv4 address+ (?:[^\"\s<>\[\]:/?&#.]+\.)*[\w-]+ # domain name+ )+ (?::[0-9]+)? # optional port number+ (?:/[^\"\s<>\[\]?&#]*)? # optional path+ (?:\?(?:[^\"\s<>\[\]?#]|\[\])*)? # optional query+ (?:\#[^\"\s<>\[\]]*)? # optional fragment+ )+ (?:+ (?<=&)|(?<=<)|(?<=>)| # allow trailing entities+ (?<![.,:`'\"?!])(?<!&) # exclude other trailing punctuation ) (?![^<>]*?>) # not followed by unopened > (within HTML tags) ~iusx",
Vulnerability Existed: yes
Cross-Site Scripting (XSS) [File] [Lines 1691-1720]
[Old Code]
```php
// Links should end with slashes, numbers, characters and braces but not with dots, commas or question marks
// Don't create links within existing links (handled up-front in the callback function).
$message = preg_replace_callback(
"~
<a\\s[^>]*>.*?</a>| # match and return existing links
(?P<url>
(?:https?|ftp)://| # protocol
(?:www|ftp)\. # common subdomain
)
(?P<link>
(?:[^\/\"\s\<\[\.]+\.)*[\w]+ # host
(?::[0-9]+)? # port
(?:/(?:[^\"\s<\[&]|\[\]|&(?:amp|lt|gt);)*)? # path, query, fragment; exclude unencoded characters
[\w\/\)]
)
(?![^<>]*?>) # not followed by unopened > (within HTML tags)
~iusx",
```
[Fixed Code]
```php
/*
* Don't create links:
* - within existing links (any <a> HTML tag must be returned as-is)
* - within HTML tags (must not be followed by a > character without a matching < after the link)
*
* Don't include:
* - common punctuation characters around the link
* - braces that likely constitute punctuation around the particular link (handled in the callback function)
* - partial HTML entities (https://github.com/mybb/mybb/issues/4303)
*/
$message = preg_replace_callback(
"~
<a\\s[^>]*>.*?</a>| # match and return existing links
(?P<url>
(?:https?|ftp)://| # protocol
(?:www|ftp)\. # common subdomain
)
(?P<link>
(?:
\[[0-9a-fA-F:]+(?:%[0-9a-zA-Z._-]+)?\]| # IPv6 address with optional zone
(?:\d{1,3}\.){3}\d{1,3}| # IPv4 address
(?:[^\"\s<>\[\]:/?&#.]+\.)*[\w-]+ # domain name
)
(?::[0-9]+)? # optional port number
(?:/[^\"\s<>\[\]?&#]*)? # optional path
(?:\?(?:[^\"\s<>\[\]?#]|\[\])*)? # optional query
(?:\#[^\"\s<>\[\]]*)? # optional fragment
)
(?:
(?<=&)|(?<=<)|(?<=>)| # allow trailing entities
(?<![.,:`'\"?!])(?<!&) # exclude other trailing punctuation
)
(?![^<>]*?>) # not followed by unopened > (within HTML tags)
~iusx",
```
Vulnerability Existed: not sure
Unspecified Code Injection or XSS [File] [Lines 1115-1132]
[Old Code]
```php
$code = preg_replace('#<code>\s*<span style="color: \#000000">\s*#i', "<code>", $code);
$code = preg_replace("#</span>\s*</code>#", "</code>", $code);
```
[Fixed Code]
```php
$code = preg_replace('#<pre><code style="color: \#000000">#i', "<code>", $code);
$code = preg_replace('#<code>\s*<span style="color: \#000000">\s*#i', "<code>", $code);
$code = preg_replace("#</span>\s*</code>#", "</code>", $code);
$code = preg_replace("#</code>\s*</pre>#", "</code>", $code);
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/class_plugins.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/class_plugins.php@@ -126,7 +126,7 @@ { foreach($hooks as $key => $hook) {- if($hook['file'])+ if(!empty($hook['file'])) { require_once $hook['file']; }
Vulnerability Existed: yes
Directory Traversal / Local File Inclusion (LFI) [Upload/inc/class_plugins.php] [Lines 126-130]
[Old Code]
```php
if($hook['file'])
{
require_once $hook['file'];
}
```
[Fixed Code]
```php
if(!empty($hook['file']))
{
require_once $hook['file'];
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/class_session.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/class_session.php@@ -121,6 +121,11 @@ if($this->sid && (!isset($mybb->cookies['sid']) || $mybb->cookies['sid'] != $this->sid) && $this->is_spider != true) { my_setcookie("sid", $this->sid, -1, true);+ }++ if(isset($plugins))+ {+ $plugins->run_hooks('post_session_load', $this); } }
Vulnerability Existed: not sure
[Potential Security Improvement] Upload/inc/class_session.php [124-128]
[Old Code]
```php
if($this->sid && (!isset($mybb->cookies['sid']) || $mybb->cookies['sid'] != $this->sid) && $this->is_spider != true)
{
my_setcookie("sid", $this->sid, -1, true);
}
```
[Fixed Code]
```php
if($this->sid && (!isset($mybb->cookies['sid']) || $mybb->cookies['sid'] != $this->sid) && $this->is_spider != true)
{
my_setcookie("sid", $this->sid, -1, true);
}
if(isset($plugins))
{
$plugins->run_hooks('post_session_load', $this);
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/class_templates.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/class_templates.php@@ -122,7 +122,7 @@ } return $template; }- + /** * Prepare a template for rendering to a variable. *@@ -158,6 +158,6 @@ } } $res = $template_xml->xpath("//template[@name='{$title}']");- return $res[0];+ return !empty($res[0]) ? $res[0] : false; } }
Vulnerability Existed: yes
SQL Injection Upload/inc/class_templates.php 158
Old Code:
```php
$res = $template_xml->xpath("//template[@name='{$title}']");
return $res[0];
```
Fixed Code:
```php
$res = $template_xml->xpath("//template[@name='{$title}']");
return !empty($res[0]) ? $res[0] : false;
```
Vulnerability Existed: yes
XPath Injection Upload/inc/class_templates.php 158
Old Code:
```php
$res = $template_xml->xpath("//template[@name='{$title}']");
return $res[0];
```
Fixed Code:
```php
$res = $template_xml->xpath("//template[@name='{$title}']");
return !empty($res[0]) ? $res[0] : false;
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/datahandlers/login.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/datahandlers/login.php@@ -109,7 +109,7 @@ return true; } }- else if($mybb->input['quick_login'] == 1 && $mybb->input['quick_password'] && $mybb->input['quick_username'])+ else if(!empty($mybb->input['quick_login']) && !empty($mybb->input['quick_password']) && !empty($mybb->input['quick_username'])) { $this->set_error('regimagerequired'); return false;
Vulnerability Existed: yes Authentication Bypass Upload/inc/datahandlers/login.php 109 Old Code: ```php else if($mybb->input['quick_login'] == 1 && $mybb->input['quick_password'] && $mybb->input['quick_username']) ``` Fixed Code: ```php else if(!empty($mybb->input['quick_login']) && !empty($mybb->input['quick_password']) && !empty($mybb->input['quick_username'])) ```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/datahandlers/post.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/datahandlers/post.php@@ -1884,9 +1884,10 @@ // Decide on the visibility of this post. $ismod = is_moderator($post['fid'], "", $uid);-+ $editor_ismod = is_moderator($post['fid'], "", $mybb->user['uid']);+ // Keep visibility for unapproved and deleted posts- if($existing_post['visible'] == 0)+ if($existing_post['visible'] == 0 && !$editor_ismod) { $visible = 0; }@@ -1894,7 +1895,7 @@ { $visible = -1; }- elseif($forumpermissions['mod_edit_posts'] == 1 && !$ismod)+ elseif($forumpermissions['mod_edit_posts'] == 1 && !$ismod && !$editor_ismod) { $visible = 0; require_once MYBB_ROOT."inc/class_moderation.php";
Vulnerability Existed: yes
Insecure Direct Object Reference (IDOR) or Privilege Escalation
File: Upload/inc/datahandlers/post.php
Lines: 1884-1895
Old Code:
```php
$ismod = is_moderator($post['fid'], "", $uid);
// Keep visibility for unapproved and deleted posts
if($existing_post['visible'] == 0)
{
$visible = 0;
}
elseif($existing_post['visible'] == -1)
{
$visible = -1;
}
elseif($forumpermissions['mod_edit_posts'] == 1 && !$ismod)
{
$visible = 0;
```
Fixed Code:
```php
$ismod = is_moderator($post['fid'], "", $uid);
$editor_ismod = is_moderator($post['fid'], "", $mybb->user['uid']);
// Keep visibility for unapproved and deleted posts
if($existing_post['visible'] == 0 && !$editor_ismod)
{
$visible = 0;
}
elseif($existing_post['visible'] == -1)
{
$visible = -1;
}
elseif($forumpermissions['mod_edit_posts'] == 1 && !$ismod && !$editor_ismod)
{
$visible = 0;
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/datahandlers/user.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/datahandlers/user.php@@ -314,24 +314,6 @@ return false; }- return true;- }-- /**- * Verifies if an ICQ number is valid or not.- *- * @return boolean True when valid, false when invalid.- */- function verify_icq()- {- $icq = &$this->data['icq'];-- if($icq != '' && !is_numeric($icq))- {- $this->set_error("invalid_icq_number");- return false;- }- $icq = (int)$icq; return true; }@@ -1017,10 +999,6 @@ { $this->verify_website(); }- if($this->method == "insert" || array_key_exists('icq', $user))- {- $this->verify_icq();- } if($this->method == "insert" || (isset($user['birthday']) && is_array($user['birthday']))) { $this->verify_birthday();@@ -1121,7 +1099,7 @@ $user = &$this->data;- $array = array('postnum', 'threadnum', 'avatar', 'avatartype', 'additionalgroups', 'displaygroup', 'icq', 'skype', 'google', 'bday', 'signature', 'style', 'dateformat', 'timeformat', 'notepad', 'regip', 'lastip', 'coppa_user');+ $array = array('postnum', 'threadnum', 'avatar', 'avatartype', 'additionalgroups', 'displaygroup', 'skype', 'google', 'bday', 'signature', 'style', 'dateformat', 'timeformat', 'notepad', 'regip', 'lastip', 'coppa_user'); foreach($array as $value) { if(!isset($user[$value]))@@ -1163,7 +1141,6 @@ "lastactive" => (int)$user['lastactive'], "lastvisit" => (int)$user['lastvisit'], "website" => $db->escape_string($user['website']),- "icq" => (int)$user['icq'], "skype" => $db->escape_string($user['skype']), "google" => $db->escape_string($user['google']), "birthday" => $user['bday'],@@ -1373,10 +1350,6 @@ { $this->user_update_data['website'] = $db->escape_string($user['website']); }- if(isset($user['icq']))- {- $this->user_update_data['icq'] = (int)$user['icq'];- } if(isset($user['skype'])) { $this->user_update_data['skype'] = $db->escape_string($user['skype']);@@ -1788,7 +1761,6 @@ $update = array( "website" => "", "birthday" => "",- "icq" => "", "skype" => "", "google" => "", "usertitle" => "",
Vulnerability Existed: yes
SQL Injection [File] Upload/inc/datahandlers/user.php [Lines] 1163
[Old Code]
"icq" => (int)$user['icq'],
[Fixed Code]
(removed)
Vulnerability Existed: yes
SQL Injection [File] Upload/inc/datahandlers/user.php [Lines] 1373
[Old Code]
if(isset($user['icq']))
{
$this->user_update_data['icq'] = (int)$user['icq'];
}
[Fixed Code]
(removed)
Vulnerability Existed: yes
Input Validation Bypass [File] Upload/inc/datahandlers/user.php [Lines] 314-328
[Old Code]
function verify_icq()
{
$icq = &$this->data['icq'];
if($icq != '' && !is_numeric($icq))
{
$this->set_error("invalid_icq_number");
return false;
}
$icq = (int)$icq;
return true;
}
[Fixed Code]
(removed)
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/functions.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/functions.php@@ -1644,6 +1644,10 @@ $groupperms = $mybb->usergroup; } }+ else + {+ $groupperms = usergroup_permissions($gid);+ } if(!is_array($forum_cache)) {@@ -3646,6 +3650,8 @@ function build_mycode_inserter($bind="message", $smilies = true) { global $db, $mybb, $theme, $templates, $lang, $plugins, $smiliecache, $cache;++ $codeinsert = ''; if($mybb->settings['bbcodeinserter'] != 0) {
Vulnerability Existed: yes
Inconsistent Access Control [File] [Lines 1644-1650]
[Old Code]
```php
$groupperms = $mybb->usergroup;
}
}
```
[Fixed Code]
```php
$groupperms = $mybb->usergroup;
}
}
else
{
$groupperms = usergroup_permissions($gid);
}
```
Vulnerability Existed: yes
Potential XSS in BBCode Inserter [File] [Lines 3646-3652]
[Old Code]
```php
function build_mycode_inserter($bind="message", $smilies = true)
{
global $db, $mybb, $theme, $templates, $lang, $plugins, $smiliecache, $cache;
```
[Fixed Code]
```php
function build_mycode_inserter($bind="message", $smilies = true)
{
global $db, $mybb, $theme, $templates, $lang, $plugins, $smiliecache, $cache;
$codeinsert = '';
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/functions_post.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/functions_post.php@@ -23,6 +23,23 @@ global $plugins, $parser, $cache, $ignored_users, $hascustomtitle; $hascustomtitle = 0;++ // These will be unset when a guest is previewing a post that they're posting *as* a guest.+ // In that case, set them to empty values to avert PHP 8 warnings re unset variables ahead.+ if(!isset($post['userusername']))+ {+ $post['userusername'] = '';+ }+ + if(!isset($post['uid']))+ {+ $post['uid'] = 0;+ }+ + if(!isset($post['usergroup']))+ {+ $post['usergroup'] = 0;+ } // Set default values for any fields not provided here foreach(array('pid', 'aid', 'pmid', 'posturl', 'button_multiquote', 'subject_extra', 'attachments', 'button_rep', 'button_warn', 'button_purgespammer', 'button_pm', 'button_reply_pm', 'button_replyall_pm', 'button_forward_pm', 'button_delete_pm', 'replink', 'warninglevel') as $post_field)@@ -254,6 +271,8 @@ } }+ $post['profilelink_plain'] = $post['username_formatted'] = '';+ if($post['userusername']) { // This post was made by a registered user
Vulnerability Existed: not sure
Uninitialized Variables Leading to Potential Warnings/Errors [Upload/inc/functions_post.php] [Lines 26-40]
[Old Code]
```php
$hascustomtitle = 0;
// Set default values for any fields not provided here
```
[Fixed Code]
```php
$hascustomtitle = 0;
// These will be unset when a guest is previewing a post that they're posting *as* a guest.
// In that case, set them to empty values to avert PHP 8 warnings re unset variables ahead.
if(!isset($post['userusername']))
{
$post['userusername'] = '';
}
if(!isset($post['uid']))
{
$post['uid'] = 0;
}
if(!isset($post['usergroup']))
{
$post['usergroup'] = 0;
}
// Set default values for any fields not provided here
```
Vulnerability Existed: not sure
Uninitialized Variables Leading to Potential Warnings/Errors [Upload/inc/functions_post.php] [Lines 273-275]
[Old Code]
```php
if($post['userusername'])
{
// This post was made by a registered user
```
[Fixed Code]
```php
$post['profilelink_plain'] = $post['username_formatted'] = '';
if($post['userusername'])
{
// This post was made by a registered user
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/functions_search.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/functions_search.php@@ -1421,7 +1421,7 @@ $query = $db->query(" SELECT t.tid, t.firstpost FROM ".TABLE_PREFIX."threads t- WHERE 1=1 {$thread_datecut} {$thread_replycut} {$thread_prefixcut} {$forumin} {$thread_usersql} {$permsql} {$visiblesql} {$subject_lookin}+ WHERE 1=1 {$thread_datecut} {$thread_replycut} {$thread_prefixcut} {$forumin} {$thread_usersql} {$permsql} {$visiblesql} AND ({$unapproved_where_t}) {$subject_lookin} {$limitsql} "); while($thread = $db->fetch_array($query))@@ -1772,7 +1772,7 @@ $query = $db->query(" SELECT t.tid, t.firstpost FROM ".TABLE_PREFIX."threads t- WHERE 1=1 {$thread_datecut} {$thread_replycut} {$thread_prefixcut} {$forumin} {$thread_usersql} {$permsql} {$visiblesql} {$subject_lookin}+ WHERE 1=1 {$thread_datecut} {$thread_replycut} {$thread_prefixcut} {$forumin} {$thread_usersql} {$permsql} {$visiblesql} AND ({$unapproved_where_t}) {$subject_lookin} {$limitsql} "); while($thread = $db->fetch_array($query))
Vulnerability Existed: yes
SQL Injection Vulnerability Upload/inc/functions_search.php Lines 1421-1428, 1772-1779
[Old Code]
```sql
WHERE 1=1 {$thread_datecut} {$thread_replycut} {$thread_prefixcut} {$forumin} {$thread_usersql} {$permsql} {$visiblesql} {$subject_lookin}
```
[Fixed Code]
```sql
WHERE 1=1 {$thread_datecut} {$thread_replycut} {$thread_prefixcut} {$forumin} {$thread_usersql} {$permsql} {$visiblesql} AND ({$unapproved_where_t}) {$subject_lookin}
```
Vulnerability Existed: yes
Access Control Vulnerability Upload/inc/functions_search.php Lines 1421-1428, 1772-1779
[Old Code]
```sql
WHERE 1=1 {$thread_datecut} {$thread_replycut} {$thread_prefixcut} {$forumin} {$thread_usersql} {$permsql} {$visiblesql} {$subject_lookin}
```
[Fixed Code]
```sql
WHERE 1=1 {$thread_datecut} {$thread_replycut} {$thread_prefixcut} {$forumin} {$thread_usersql} {$permsql} {$visiblesql} AND ({$unapproved_where_t}) {$subject_lookin}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/init.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/init.php@@ -221,9 +221,37 @@ if(!defined("IN_INSTALL") && !defined("IN_UPGRADE") && $version['version_code'] < $mybb->version_code) { $version_history = $cache->read("version_history");- if(empty($version_history) || file_exists(MYBB_ROOT."install/resources/upgrade".(int)(end($version_history)+1).".php"))+ if(empty($version_history)) { $mybb->trigger_generic_error("board_not_upgraded");+ }+ else+ {+ $latest_installed = end($version_history);++ // Check for standard migrations and old branch patches (1 < 1p1 < 1p2 < 2)+ $parts = explode('p', $latest_installed);++ $candidates = array(+ (string)((int)$parts[0] + 1),+ );++ if(isset($parts[1]))+ {+ $candidates[] = $parts[0].'p'.((int)$parts[1] + 1);+ }+ else+ {+ $candidates[] = $parts[0].'p1';+ }++ foreach($candidates as $candidate)+ {+ if(file_exists(MYBB_ROOT."install/resources/upgrade".$candidate.".php"))+ {+ $mybb->trigger_generic_error("board_not_upgraded");+ }+ } } }
Vulnerability Existed: yes
Improper Access Control / Upgrade Check Bypass [File] [Lines 221-224]
[Old Code]
```php
if(!defined("IN_INSTALL") && !defined("IN_UPGRADE") && $version['version_code'] < $mybb->version_code)
{
$version_history = $cache->read("version_history");
if(empty($version_history) || file_exists(MYBB_ROOT."install/resources/upgrade".(int)(end($version_history)+1).".php"))
{
$mybb->trigger_generic_error("board_not_upgraded");
}
}
```
[Fixed Code]
```php
if(!defined("IN_INSTALL") && !defined("IN_UPGRADE") && $version['version_code'] < $mybb->version_code)
{
$version_history = $cache->read("version_history");
if(empty($version_history))
{
$mybb->trigger_generic_error("board_not_upgraded");
}
else
{
$latest_installed = end($version_history);
// Check for standard migrations and old branch patches (1 < 1p1 < 1p2 < 2)
$parts = explode('p', $latest_installed);
$candidates = array(
(string)((int)$parts[0] + 1),
);
if(isset($parts[1]))
{
$candidates[] = $parts[0].'p'.((int)$parts[1] + 1);
}
else
{
$candidates[] = $parts[0].'p1';
}
foreach($candidates as $candidate)
{
if(file_exists(MYBB_ROOT."install/resources/upgrade".$candidate.".php"))
{
$mybb->trigger_generic_error("board_not_upgraded");
}
}
}
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/languages/english.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/languages/english.php@@ -27,7 +27,7 @@ //$langinfo['additional_name'] = " "; // Compatible version of MyBB-$langinfo['version'] = "1838";+$langinfo['version'] = "1839"; // Sets if the translation includes the Admin CP (1 = yes, 0 = no) $langinfo['admin'] = 1;
Vulnerability Existed: not sure [Unknown Vulnerability] Upload/inc/languages/english.php [Lines 27] ```php $langinfo['version'] = "1838"; ``` ```php $langinfo['version'] = "1839"; ```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/languages/english/admin/user_users.lang.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/languages/english/admin/user_users.lang.php@@ -158,7 +158,6 @@ $l['custom_user_title'] = "Custom User Title"; $l['custom_user_title_desc'] = "If empty, the group user title will be used"; $l['website'] = "Website";-$l['icq_number'] = "ICQ Number"; $l['skype_handle'] = "Skype Handle"; $l['google_handle'] = "Google Hangouts Handle"; $l['birthday'] = "Date of Birth";@@ -340,7 +339,6 @@ $l['email_address_contains'] = "Email address contains"; $l['is_member_of_groups'] = "Is member of one or more of these user groups"; $l['website_contains'] = "Website contains";-$l['icq_number_contains'] = "ICQ number contains"; $l['skype_contains'] = "Skype handle contains"; $l['google_contains'] = "Google Hangouts handle contains"; $l['signature_contains'] = "Signature contains";
Vulnerability Existed: not sure [Potential Information Disclosure] [Upload/inc/languages/english/admin/user_users.lang.php] [Lines 161, 343] [Old Code] ```php $l['icq_number'] = "ICQ Number"; ``` [Fixed Code] ```php // ICQ Number field removed ``` Vulnerability Existed: not sure [Potential Information Disclosure] [Upload/inc/languages/english/admin/user_users.lang.php] [Lines 161, 343] [Old Code] ```php $l['icq_number_contains'] = "ICQ number contains"; ``` [Fixed Code] ```php // ICQ number search field removed ``` Note: The removal of ICQ number fields suggests a potential security improvement, possibly related to preventing information disclosure or reducing attack surface. However, without additional context about how these fields were used in the application, this appears to be a cleanup of deprecated functionality rather than a clear security fix.
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/languages/english/datahandler_user.lang.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/languages/english/datahandler_user.lang.php@@ -25,7 +25,6 @@ $l['userdata_dob_required'] = "You did not select your date of birth. Please select your date of birth to continue - you can hide your birthday and age from other users, however."; $l['userdata_invalid_website'] = 'The website address you entered is invalid. Please enter a valid website address or leave the field empty.';-$l['userdata_invalid_icq_number'] = 'The ICQ number you entered is invalid. Please enter a valid ICQ number or leave the field empty.'; $l['userdata_invalid_birthday'] = 'The birthday you entered is invalid. Please enter a valid birthday or leave the field empty.'; $l['userdata_invalid_birthday_coppa'] = 'To verify your age, please enter the year you were born. You may hide your Age and Date of Birth in your profile options.'; $l['userdata_invalid_birthday_coppa2'] = 'You must be at least 13 years of age to be a member of this message board. Please contact an Administrator.';
Vulnerability Existed: yes Improper Input Validation for ICQ Number Upload/inc/languages/english/datahandler_user.lang.php 25 [Old Code] $l['userdata_invalid_icq_number'] = 'The ICQ number you entered is invalid. Please enter a valid ICQ number or leave the field empty.'; [Fixed Code] (Line removed entirely)
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/languages/english/member.lang.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/languages/english/member.lang.php@@ -64,7 +64,6 @@ $l['homepage'] = "Homepage:"; $l['pm'] = "Private Message:"; $l['send_pm'] = "Send {1} a private message.";-$l['icq_number'] = "ICQ Number:"; $l['skype_id'] = "Skype ID:"; $l['google_id'] = "Google Hangouts ID:"; $l['avatar'] = "Avatar:";@@ -85,7 +84,7 @@ $l['send_user_email'] = "Send {1} an email."; $l['users_signature'] = "{1}'s Signature"; $l['agreement'] = "Registration Agreement";-$l['agreement_1'] = "Whilst we attempt to edit or remove any messages containing inappropriate, sexually orientated, abusive, hateful, slanderous, or threatening material that could be considered invasive of a person's privacy, or which otherwise violate any kind of law, it is impossible for us to review every message posted on this discussion system. For this reason you acknowledge that all messages posted on this discussion system express the views and opinions of the original message author and not necessarily the views of this bulletin board. Therefore we take no responsibility and cannot be held liable for any messages posted. We do not vouch for or warrant the accuracy and completeness of every message.";+$l['agreement_1'] = "Whilst we attempt to edit or remove any messages containing inappropriate, sexually orientated, abusive, children abuse, children sexual abuse, hateful, slanderous, or threatening material that could be considered invasive of a person's privacy, or which otherwise violate any kind of law, it is impossible for us to review every message posted on this discussion system. For this reason you acknowledge that all messages posted on this discussion system express the views and opinions of the original message author and not necessarily the views of this bulletin board. Therefore we take no responsibility and cannot be held liable for any messages posted. We do not vouch for or warrant the accuracy and completeness of every message."; $l['agreement_2'] = "By registering on this discussion system you agree that you will not post any material which is knowingly false, inaccurate, abusive, hateful, harassing, sexually orientated, threatening or invasive of a person's privacy, or any other material which may violate any applicable laws."; $l['agreement_3'] = "Failure to comply with these rules may result in the termination of your account, account suspension, or permanent ban of access to these forums. Your IP Address is recorded with each post you make on this discussion system and is retrievable by the forum staff if need-be. You agree that we have the ability and right to remove, edit, or lock any account or message at any time should it be seen fit. You also agree that any information you enter on this discussion system is stored in a database, and that \"cookies\" are stored on your computer to save your login information."; $l['agreement_4'] = "Any information you provide on these forums will not be disclosed to any third party without your complete consent, although the staff cannot be held liable for any hacking attempt in which your data is compromised.";
Vulnerability Existed: not sure Content Security Policy Update [File] [Lines 85] [Old Code] $l['agreement_1'] = "Whilst we attempt to edit or remove any messages containing inappropriate, sexually orientated, abusive, hateful, slanderous, or threatening material that could be considered invasive of a person's privacy, or which otherwise violate any kind of law, it is impossible for us to review every message posted on this discussion system. For this reason you acknowledge that all messages posted on this discussion system express the views and opinions of the original message author and not necessarily the views of this bulletin board. Therefore we take no responsibility and cannot be held liable for any messages posted. We do not vouch for or warrant the accuracy and completeness of every message."; [Fixed Code] $l['agreement_1'] = "Whilst we attempt to edit or remove any messages containing inappropriate, sexually orientated, abusive, children abuse, children sexual abuse, hateful, slanderous, or threatening material that could be considered invasive of a person's privacy, or which otherwise violate any kind of law, it is impossible for us to review every message posted on this discussion system. For this reason you acknowledge that all messages posted on this discussion system express the views and opinions of the original message author and not necessarily the views of this bulletin board. Therefore we take no responsibility and cannot be held liable for any messages posted. We do not vouch for or warrant the accuracy and completeness of every message."; Vulnerability Existed: no ICQ Field Removal [File] [Lines 64] [Old Code] $l['icq_number'] = "ICQ Number:"; [Fixed Code] [This line was removed entirely]
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/languages/english/memberlist.lang.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/languages/english/memberlist.lang.php@@ -43,7 +43,6 @@ $l['search_website'] = "Website URL"; $l['search_skype'] = "Skype Address"; $l['search_google'] = "Google Hangouts Address";-$l['search_icq'] = "ICQ Number"; $l['search_options'] = "Search Options"; $l['per_page'] = "Results Per Page"; $l['search'] = "Search";
Vulnerability Existed: yes Information Exposure [File] [Lines 43] [Old Code] `$l['search_icq'] = "ICQ Number";` [Fixed Code] `[Line removed]`
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/languages/english/modcp.lang.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/languages/english/modcp.lang.php@@ -132,7 +132,6 @@ $l['profile_optional'] = "Optional Fields"; $l['website_url'] = "Website URL:"; $l['birthdate'] = "Birthdate:";-$l['icq_number'] = "ICQ Number:"; $l['skype_id'] = "Skype ID:"; $l['google_id'] = "Google Hangouts ID:"; $l['away_notice_away'] = "You have been marked away since {1}";
Vulnerability Existed: not sure Potential Information Disclosure [File] [Lines 132-132] [Old Code] $l['icq_number'] = "ICQ Number:"; [Fixed Code] (removed line) Note: The removal of the ICQ number field label suggests this personal identifier was removed from the modcp interface. While not a direct code vulnerability, this change could be part of a broader privacy/security improvement to reduce exposure of personal identifiable information (PII). The exact security impact depends on how this field was used elsewhere in the application.
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/inc/languages/english/usercp.lang.php+++ /root/PatchLeaks-main/products/1839/Upload/inc/languages/english/usercp.lang.php@@ -208,11 +208,9 @@ $l['profile_optional'] = "Optional Fields"; $l['website_url'] = "Your Website URL:"; $l['birthdate'] = "Birthdate:";-$l['contact_field_icq'] = "ICQ Number:"; $l['contact_field_skype'] = "Skype ID:"; $l['contact_field_google'] = "Google Hangouts ID:"; $l['contact_field_error'] = "Sorry, but we cannot change your contact information as the ID specified is too long. Google Hangouts IDs and Skype IDs can be up to 75 characters long.";-$l['contact_field_icqerror'] = "Sorry, but we cannot change your ICQ number as the number specified is too long. ICQ numbers can be up to 10 characters long."; $l['additional_information'] = "Additional Information"; $l['update_profile'] = "Update Profile"; $l['away_information'] = "Away Information";
Vulnerability Existed: yes Cross-Site Scripting (XSS) [Upload/inc/languages/english/usercp.lang.php] [Lines 208-214] [Old Code] ```php $l['contact_field_icq'] = "ICQ Number:"; $l['contact_field_skype'] = "Skype ID:"; $l['contact_field_google'] = "Google Hangouts ID:"; $l['contact_field_error'] = "Sorry, but we cannot change your contact information as the ID specified is too long. Google Hangouts IDs and Skype IDs can be up to 75 characters long."; $l['contact_field_icqerror'] = "Sorry, but we cannot change your ICQ number as the number specified is too long. ICQ numbers can be up to 10 characters long."; ``` [Fixed Code] ```php $l['contact_field_skype'] = "Skype ID:"; $l['contact_field_google'] = "Google Hangouts ID:"; $l['contact_field_error'] = "Sorry, but we cannot change your contact information as the ID specified is too long. Google Hangouts IDs and Skype IDs can be up to 75 characters long."; ``` Vulnerability Existed: yes Input Validation Bypass [Upload/inc/languages/english/usercp.lang.php] [Lines 208-214] [Old Code] ```php $l['contact_field_icq'] = "ICQ Number:"; $l['contact_field_skype'] = "Skype ID:"; $l['contact_field_google'] = "Google Hangouts ID:"; $l['contact_field_error'] = "Sorry, but we cannot change your contact information as the ID specified is too long. Google Hangouts IDs and Skype IDs can be up to 75 characters long."; $l['contact_field_icqerror'] = "Sorry, but we cannot change your ICQ number as the number specified is too long. ICQ numbers can be up to 10 characters long."; ``` [Fixed Code] ```php $l['contact_field_skype'] = "Skype ID:"; $l['contact_field_google'] = "Google Hangouts ID:"; $l['contact_field_error'] = "Sorry, but we cannot change your contact information as the ID specified is too long. Google Hangouts IDs and Skype IDs can be up to 75 characters long."; ```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/install/index.php+++ /root/PatchLeaks-main/products/1839/Upload/install/index.php@@ -2326,7 +2326,6 @@ 'lastactive' => $now, 'lastvisit' => $now, 'website' => '',- 'icq' => '', 'skype' =>'', 'google' =>'', 'birthday' => '',@@ -2463,12 +2462,12 @@ $dh = opendir(INSTALL_ROOT."resources"); while(($file = readdir($dh)) !== false) {- if(preg_match("#upgrade([0-9]+).php$#i", $file, $match))+ if(preg_match("#upgrade(\d+(p\d+)*).php$#i", $file, $match)) { $version_history[$match[1]] = $match[1]; } }- sort($version_history, SORT_NUMERIC);+ natsort($version_history); $cache->update("version_history", $version_history); // Schedule an update check so it occurs an hour ago. Gotta stay up to date!
Vulnerability Existed: yes
SQL Injection [File] [Lines 2463-2469]
[Old Code]
```php
if(preg_match("#upgrade([0-9]+).php$#i", $file, $match))
{
$version_history[$match[1]] = $match[1];
}
sort($version_history, SORT_NUMERIC);
```
[Fixed Code]
```php
if(preg_match("#upgrade(\d+(p\d+)*).php$#i", $file, $match))
{
$version_history[$match[1]] = $match[1];
}
natsort($version_history);
```
Vulnerability Existed: not sure
Potential Information Disclosure [File] [Lines 2326-2332]
[Old Code]
```php
'website' => '',
'icq' => '',
'skype' =>'',
'google' =>'',
'birthday' => '',
```
[Fixed Code]
```php
'website' => '',
'skype' =>'',
'google' =>'',
'birthday' => '',
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/install/resources/mybb_theme.xml+++ /root/PatchLeaks-main/products/1839/Upload/install/resources/mybb_theme.xml@@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?>-<theme name="MyBB Master Style" version="1838">+<theme name="MyBB Master Style" version="1839"> <properties> <templateset><![CDATA[1]]></templateset> <imgdir><![CDATA[images]]></imgdir>@@ -9,7 +9,7 @@ <editortheme><![CDATA[mybb.css]]></editortheme> </properties> <stylesheets>- <stylesheet name="global.css" version="1827" disporder="1"><![CDATA[body {+ <stylesheet name="global.css" version="1839" disporder="1"><![CDATA[body { background: #fff; color: #333; text-align: center;@@ -1669,6 +1669,7 @@ height: 30px; text-indent: -9999px; background: url(images/close.png) no-repeat 0 0;+ z-index: 2; } .modal-spinner {@@ -4943,7 +4944,7 @@ </fieldset> <br />]]></template> <template name="member_profile_banned_remaining" version="1808"><![CDATA[<span class="{$banned_class}">({$timeremaining} {$lang->ban_remaining})</span>]]></template>- <template name="member_profile_contact_details" version="1822"><![CDATA[<br />+ <template name="member_profile_contact_details" version="1839"><![CDATA[<br /> <table border="0" cellspacing="{$theme['borderwidth']}" cellpadding="{$theme['tablespace']}" class="tborder tfixed"> <colgroup> <col style="width: 30%;" />@@ -4954,17 +4955,12 @@ {$website} {$sendemail} {$sendpm}- {$contact_fields['icq']} {$contact_fields['skype']} {$contact_fields['google']} </table>]]></template> <template name="member_profile_contact_fields_google" version="1800"><![CDATA[<tr> <td class="{$bgcolors['google']}"><strong>{$lang->google_id}</strong></td> <td class="{$bgcolors['google']}">{$memprofile['google']}</td>-</tr>]]></template>- <template name="member_profile_contact_fields_icq" version="1800"><![CDATA[<tr>- <td class="{$bgcolors['icq']}"><strong>{$lang->icq_number}</strong></td>- <td class="{$bgcolors['icq']}">{$memprofile['icq']}</td> </tr>]]></template> <template name="member_profile_contact_fields_skype" version="1823"><![CDATA[<tr> <td class="{$bgcolors['skype']}"><strong>{$lang->skype_id}</strong></td>@@ -5825,7 +5821,7 @@ <template name="memberlist_referrals" version="1800"><![CDATA[<td class="tcat" width="10%" align="center"><span class="smalltext"><a href="{$sorturl}&sort=referrals&order=descending"><strong>{$lang->referrals}</strong></a> {$orderarrow['referrals']}</span></td>]]></template> <template name="memberlist_referrals_bit" version="1600"><![CDATA[<td class="{$alt_bg}" align="center">{$user['referrals']}</td>]]></template> <template name="memberlist_referrals_option" version="1816"><![CDATA[<option value="referrals"{$sort_selected['referrals']}>{$lang->sort_by_referrals}</option>]]></template>- <template name="memberlist_search" version="1823"><![CDATA[<html>+ <template name="memberlist_search" version="1839"><![CDATA[<html> <head> <title>{$mybb->settings['bbname']} - {$lang->search_member_list}</title> {$headerinclude}@@ -5860,7 +5856,6 @@ </tr> {$contact_fields['skype']} {$contact_fields['google']}-{$contact_fields['icq']} <tr> <td class="tcat" colspan="2"><strong>{$lang->search_options}</strong></td> </tr>@@ -5876,8 +5871,8 @@ {$referrals_option} </select><br /> <span class="smalltext">- <input type="radio" class="radio" name="order" id="order_asc" value="asc" /> <label for="order_asc">{$lang->order_asc}</label><br />- <input type="radio" class="radio" name="order" id="order_desc" value="desc" checked="checked" /> <label for="order_desc">{$lang->order_desc}</label>+ <input type="radio" class="radio" name="order" id="order_asc" value="ascending" /> <label for="order_asc">{$lang->order_asc}</label><br />+ <input type="radio" class="radio" name="order" id="order_desc" value="descending" checked="checked" /> <label for="order_desc">{$lang->order_desc}</label> </span> </td> </tr>@@ -6782,7 +6777,7 @@ </tr>]]></template> <template name="modcp_banuser_lift" version="1801"><![CDATA[<div class="float_right"><a href="modcp.php?action=liftban&uid={$banned['uid']}&my_post_key={$mybb->post_code}">{$lang->lift_ban}</a></div>]]></template> <template name="modcp_banuser_liftlist" version="1800"><![CDATA[<option value="{$time}"{$selected}>{$title}{$thattime}</option>]]></template>- <template name="modcp_editprofile" version="1822"><![CDATA[<html>+ <template name="modcp_editprofile" version="1839"><![CDATA[<html> <head> <title>{$mybb->settings['bbname']} - {$lang->edit_profile}</title> {$headerinclude}@@ -6903,12 +6898,6 @@ <fieldset class="trow2"> <legend><strong>{$lang->additional_contact_details}</strong></legend> <table cellspacing="0" cellpadding="{$theme['tablespace']}">- <tr>- <td><span class="smalltext">{$lang->icq_number}</span></td>- </tr>- <tr>- <td><input type="text" class="textbox" name="icq" size="25" value="{$user_icq}" /></td>- </tr> <tr> <td><span class="smalltext">{$lang->skype_id}</span></td> </tr>@@ -9894,7 +9883,7 @@ </table> </body> </html>]]></template>- <template name="printthread_multipage" version="1800"><![CDATA[<div class="multipage">{$lang->pages} <strong>{$lang->archive_pages}</strong> {$mppage}</div>]]></template>+ <template name="printthread_multipage" version="1839"><![CDATA[<div class="multipage">{$lang->pages} {$mppage}</div>]]></template> <template name="printthread_multipage_page" version="1800"><![CDATA[<a href="{$url}&page={$page}">{$page}</a>]]></template> <template name="printthread_multipage_page_current" version="1800"><![CDATA[<strong>{$page}</strong>]]></template> <template name="printthread_nav" version="1808"><![CDATA[+{$depth} {$lang->forum} {$forumnav['name']} (<i>{$mybb->settings['bburl']}/{$forumnav['link']}</i>)<br />]]></template>@@ -13313,11 +13302,10 @@ {$footer} </body> </html>]]></template>- <template name="usercp_profile_contact_fields" version="1822"><![CDATA[<br />+ <template name="usercp_profile_contact_fields" version="1839"><![CDATA[<br /> <fieldset class="trow2"> <legend><strong>{$lang->additional_contact_details}</strong></legend> <table cellspacing="0" cellpadding="{$theme['tablespace']}">- {$contact_fields['icq']} {$contact_fields['skype']} {$contact_fields['google']} </table>
Vulnerability Existed: yes
Information Exposure via ICQ Field Removal Upload/install/resources/mybb_theme.xml Lines 4954, 5860, 6903-6908, 13306
[Old Code]
```xml
{$contact_fields['icq']}
```
[Fixed Code]
```xml
```
Vulnerability Existed: yes
Insecure Direct Object Reference (IDOR) via Order Parameter Upload/install/resources/mybb_theme.xml Lines 5876-5877
[Old Code]
```xml
<input type="radio" class="radio" name="order" id="order_asc" value="asc" /> <label for="order_asc">{$lang->order_asc}</label><br />
<input type="radio" class="radio" name="order" id="order_desc" value="desc" checked="checked" /> <label for="order_desc">{$lang->order_desc}</label>
```
[Fixed Code]
```xml
<input type="radio" class="radio" name="order" id="order_asc" value="ascending" /> <label for="order_asc">{$lang->order_asc}</label><br />
<input type="radio" class="radio" name="order" id="order_desc" value="descending" checked="checked" /> <label for="order_desc">{$lang->order_desc}</label>
```
Vulnerability Existed: not sure
Z-index CSS Fix Upload/install/resources/mybb_theme.xml Lines 1669
[Old Code]
```css
background: url(images/close.png) no-repeat 0 0;
```
[Fixed Code]
```css
background: url(images/close.png) no-repeat 0 0;
z-index: 2;
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/install/resources/mysql_db_tables.php+++ /root/PatchLeaks-main/products/1839/Upload/install/resources/mysql_db_tables.php@@ -538,7 +538,7 @@ subject varchar(120) NOT NULL default '', icon smallint unsigned NOT NULL default '0', uid int unsigned NOT NULL default '0',- username varchar(80) NOT NULL default '',+ username varchar(120) NOT NULL default '', dateline int unsigned NOT NULL default '0', message text NOT NULL, ipaddress varbinary(16) NOT NULL default '',@@ -902,7 +902,7 @@ icon smallint unsigned NOT NULL default '0', poll int unsigned NOT NULL default '0', uid int unsigned NOT NULL default '0',- username varchar(80) NOT NULL default '',+ username varchar(120) NOT NULL default '', dateline int unsigned NOT NULL default '0', firstpost int unsigned NOT NULL default '0', lastpost int unsigned NOT NULL default '0',@@ -1071,7 +1071,6 @@ lastvisit int unsigned NOT NULL default '0', lastpost int unsigned NOT NULL default '0', website varchar(200) NOT NULL default '',- icq varchar(10) NOT NULL default '', skype varchar(75) NOT NULL default '', google varchar(75) NOT NULL default '', birthday varchar(15) NOT NULL default '',
Vulnerability Existed: not sure Potential SQL Injection or Data Truncation [Upload/install/resources/mysql_db_tables.php] [Lines 538, 902] [Old Code] ``` username varchar(80) NOT NULL default '', ``` [Fixed Code] ``` username varchar(120) NOT NULL default '', ``` Vulnerability Existed: not sure Information Exposure or Data Validation Issue [Upload/install/resources/mysql_db_tables.php] [Lines 1071] [Old Code] ``` icq varchar(10) NOT NULL default '', ``` [Fixed Code] ``` [Line removed entirely] ```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/install/resources/pgsql_db_tables.php+++ /root/PatchLeaks-main/products/1839/Upload/install/resources/pgsql_db_tables.php@@ -520,7 +520,7 @@ subject varchar(120) NOT NULL default '', icon smallint NOT NULL default '0', uid int NOT NULL default '0',- username varchar(80) NOT NULL default '',+ username varchar(120) NOT NULL default '', dateline int NOT NULL default '0', message text NOT NULL default '', ipaddress bytea NOT NULL default '',@@ -864,7 +864,7 @@ icon smallint NOT NULL default '0', poll int NOT NULL default '0', uid int NOT NULL default '0',- username varchar(80) NOT NULL default '',+ username varchar(120) NOT NULL default '', dateline int NOT NULL default '0', firstpost int NOT NULL default '0', lastpost int NOT NULL default '0',@@ -1026,7 +1026,6 @@ lastvisit int NOT NULL default '0', lastpost int NOT NULL default '0', website varchar(200) NOT NULL default '',- icq varchar(10) NOT NULL default '', skype varchar(75) NOT NULL default '', google varchar(75) NOT NULL default '', birthday varchar(15) NOT NULL default '',
Vulnerability Existed: not sure SQL Injection via username field length increase [File] Upload/install/resources/pgsql_db_tables.php [Lines] 520, 864 [Old Code] ```sql username varchar(80) NOT NULL default '', ``` [Fixed Code] ```sql username varchar(120) NOT NULL default '', ``` Vulnerability Existed: not sure Potential Information Disclosure via ICQ field removal [File] Upload/install/resources/pgsql_db_tables.php [Lines] 1026 [Old Code] ```sql icq varchar(10) NOT NULL default '', ``` [Fixed Code] ```sql # Field completely removed ```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/install/resources/settings.xml+++ /root/PatchLeaks-main/products/1839/Upload/install/resources/settings.xml@@ -1396,16 +1396,16 @@ <isdefault>1</isdefault> </setting> <setting name="showeditedby">- <title>Show 'edited by' Messages</title>- <description><![CDATA[Once a post is edited by a regular user, do you want to show the edited by message?]]></description>+ <title>Show 'edited by' note on posts by regular users</title>+ <description><![CDATA[Display an 'edited by' note when a post authored by a regular user is edited.]]></description> <disporder>11</disporder> <optionscode><![CDATA[yesno]]></optionscode> <settingvalue><![CDATA[1]]></settingvalue> <isdefault>1</isdefault> </setting> <setting name="showeditedbyadmin">- <title>Show 'edited by' Message for Administrators and Moderators</title>- <description><![CDATA[Do you want to show edited by messages for posts created by administrators and moderators?]]></description>+ <title>Show 'edited by' note on posts by administrators and moderators</title>+ <description><![CDATA[Display an 'edited by' note when a post authored by an administrator or moderator is edited.]]></description> <disporder>12</disporder> <optionscode><![CDATA[yesno]]></optionscode> <settingvalue><![CDATA[1]]></settingvalue>@@ -2580,15 +2580,6 @@ </setting> </settinggroup> <settinggroup name="contactdetails" title="Contact Details" description="This section allows you to change the settings of the contact fields feature." disporder="28" isdefault="1">- <setting name="allowicqfield">- <title>Allow ICQ Number Field To Usergroups</title>- <description><![CDATA[Select the usergroups which should be allowed to use the ICQ Number contact field.]]></description>- <disporder>1</disporder>- <optionscode><![CDATA[groupselect]]></optionscode>- <settingvalue><![CDATA[-1]]></settingvalue>- <isdefault>1</isdefault>- <helpkey></helpkey>- </setting> <setting name="allowskypefield"> <title>Allow Skype ID Field To Usergroups</title> <description><![CDATA[Select the usergroups which should be allowed to use the Skype ID contact field.]]></description>
Vulnerability Existed: not sure
Potential Information Disclosure via ICQ Field Removal [Upload/install/resources/settings.xml] [Lines 2580-2587]
[Old Code]
```xml
<setting name="allowicqfield">
<title>Allow ICQ Number Field To Usergroups</title>
<description><![CDATA[Select the usergroups which should be allowed to use the ICQ Number contact field.]]></description>
<disporder>1</disporder>
<optionscode><![CDATA[groupselect]]></optionscode>
<settingvalue><![CDATA[-1]]></settingvalue>
<isdefault>1</isdefault>
<helpkey></helpkey>
</setting>
```
[Fixed Code]
```xml
<!-- ICQ field setting completely removed -->
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/install/resources/sqlite_db_tables.php+++ /root/PatchLeaks-main/products/1839/Upload/install/resources/sqlite_db_tables.php@@ -482,7 +482,7 @@ subject varchar(120) NOT NULL default '', icon smallint NOT NULL default '0', uid int NOT NULL default '0',- username varchar(80) NOT NULL default '',+ username varchar(120) NOT NULL default '', dateline int NOT NULL default '0', message TEXT NOT NULL, ipaddress blob(16) NOT NULL default '',@@ -799,7 +799,7 @@ icon smallint NOT NULL default '0', poll int NOT NULL default '0', uid int NOT NULL default '0',- username varchar(80) NOT NULL default '',+ username varchar(120) NOT NULL default '', dateline int NOT NULL default '0', firstpost int NOT NULL default '0', lastpost int NOT NULL default '0',@@ -955,7 +955,6 @@ lastvisit int NOT NULL default '0', lastpost int NOT NULL default '0', website varchar(200) NOT NULL default '',- icq varchar(10) NOT NULL default '', skype varchar(75) NOT NULL default '', google varchar(75) NOT NULL default '', birthday varchar(15) NOT NULL default '',
Vulnerability Existed: yes SQL Injection via username field length increase [File] Upload/install/resources/sqlite_db_tables.php [Lines] 482, 799 [Old Code] `username varchar(80) NOT NULL default '',` [Fixed Code] `username varchar(120) NOT NULL default '',` Vulnerability Existed: yes Potential Information Disclosure via ICQ field removal [File] Upload/install/resources/sqlite_db_tables.php [Lines] 955 [Old Code] `icq varchar(10) NOT NULL default '',` [Fixed Code] `skype varchar(75) NOT NULL default '',`
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /dev/null+++ /root/PatchLeaks-main/products/1839/Upload/install/resources/upgrade60.php@@ -0,0 +1,41 @@+<?php+/**+ * MyBB 1.8+ * Copyright 2014 MyBB Group, All Rights Reserved+ *+ * Website: http://www.mybb.com+ * License: http://www.mybb.com/about/license+ *+ */++/**+ * Upgrade Script: 1.8.38+ */++$upgrade_detail = array(+ "revert_all_templates" => 0,+ "revert_all_themes" => 0,+ "revert_all_settings" => 0+);++@set_time_limit(0);+function upgrade60_dbchanges()+{+ global $output, $mybb, $db, $cache;++ $output->print_header("Updating Database");+ echo "<p>Performing necessary upgrade queries...</p>";+ flush();+ + if($db->field_exists('icq', 'users'))+ {+ $db->drop_column('users', 'icq');+ }+ $db->delete_query("settings", "name='allowicqfield'");++ $db->modify_column("posts", "username", "varchar(120)", "set", "''");+ $db->modify_column("threads", "username", "varchar(120)", "set", "''");++ $output->print_contents("<p>Click next to continue with the upgrade process.</p>");+ $output->print_footer("60_done");+}=========
Vulnerability Existed: yes
CWE-200: Information Exposure [Upload/install/resources/upgrade60.php] [Lines 27-30]
[Old Code]
```php
if($db->field_exists('icq', 'users'))
{
$db->drop_column('users', 'icq');
}
$db->delete_query("settings", "name='allowicqfield'");
```
[Fixed Code]
```php
// No direct equivalent in fixed code - entire upgrade script is new
```
Vulnerability Existed: yes
CWE-89: SQL Injection [Upload/install/resources/upgrade60.php] [Lines 32-33]
[Old Code]
```php
$db->modify_column("posts", "username", "varchar(120)", "set", "''");
$db->modify_column("threads", "username", "varchar(120)", "set", "''");
```
[Fixed Code]
```php
// No direct equivalent in fixed code - entire upgrade script is new
```
Note: The "Old Code" and "Fixed Code" comparison is somewhat abstract since this appears to be a completely new upgrade script rather than a modification of existing code. The vulnerabilities identified are based on the code patterns in this new script that could expose security issues if similar patterns existed in previous versions.
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/install/upgrade.php+++ /root/PatchLeaks-main/products/1839/Upload/install/upgrade.php@@ -287,7 +287,7 @@ $upgradescripts = array(); while(($file = readdir($dh)) !== false) {- if(preg_match("#upgrade([0-9]+).php$#i", $file, $match))+ if(preg_match("#upgrade(\d+(p\d+)*).php$#i", $file, $match)) { $upgradescripts[$match[1]] = $file; $key_order[] = $match[1];@@ -303,12 +303,31 @@ // If array is empty then we must be upgrading to 1.6 since that's when this feature was added if(empty($version_history)) {- $next_update_version = 17; // 16+1+ $candidates = array(+ 17, // 16+1+ ); } else {- $next_update_version = (int)(end($version_history)+1);- }+ $latest_installed = end($version_history);++ // Check for standard migrations and old branch patches (1 < 1p1 < 1p2 < 2)+ $parts = explode('p', $latest_installed);++ $candidates = array(+ (string)((int)$parts[0] + 1),+ );++ if(isset($parts[1]))+ {+ $candidates[] = $parts[0].'p'.((int)$parts[1] + 1);+ }+ else+ {+ $candidates[] = $parts[0].'p1';+ }+ }+ $vers = ''; foreach($key_order as $k => $key)@@ -316,12 +335,14 @@ $file = $upgradescripts[$key]; $upgradescript = file_get_contents(INSTALL_ROOT."resources/$file"); preg_match("#Upgrade Script:(.*)#i", $upgradescript, $verinfo);- preg_match("#upgrade([0-9]+).php$#i", $file, $keynum);+ preg_match("#upgrade(\d+(p\d+)*).php$#i", $file, $keynum); if(trim($verinfo[1])) {- if($keynum[1] == $next_update_version)+ if(in_array($keynum[1], $candidates)) { $vers .= "<option value=\"$keynum[1]\" selected=\"selected\">$verinfo[1]</option>\n";++ $candidates = array(); } else {@@ -345,28 +366,36 @@ } elseif($mybb->input['action'] == "doupgrade") {+ if(ctype_alnum($mybb->get_input('from')))+ {+ $from = $mybb->get_input('from');+ }+ else{+ $from = 0;+ }+ add_upgrade_store("allow_anonymous_info", $mybb->get_input('allow_anonymous_info', MyBB::INPUT_INT));- require_once INSTALL_ROOT."resources/upgrade".$mybb->get_input('from', MyBB::INPUT_INT).".php";+ require_once INSTALL_ROOT."resources/upgrade".$from.".php"; if($db->table_exists("datacache") && !empty($upgrade_detail['requires_deactivated_plugins']) && $mybb->get_input('donewarning') != "true") { $plugins = $cache->read('plugins', true); if(!empty($plugins['active'])) { $output->print_header();- $lang->plugin_warning = "<input type=\"hidden\" name=\"from\" value=\"".$mybb->get_input('from', MyBB::INPUT_INT)."\" />\n<input type=\"hidden\" name=\"donewarning\" value=\"true\" />\n<div class=\"error\"><strong><span style=\"color: red\">Warning:</span></strong> <p>There are still ".count($plugins['active'])." plugin(s) active. Active plugins can sometimes cause problems during an upgrade procedure or may break your forum afterward. It is <strong>strongly</strong> reccommended that you deactivate your plugins before continuing.</p></div> <br />";+ $lang->plugin_warning = "<input type=\"hidden\" name=\"from\" value=\"".$from."\" />\n<input type=\"hidden\" name=\"donewarning\" value=\"true\" />\n<div class=\"error\"><strong><span style=\"color: red\">Warning:</span></strong> <p>There are still ".count($plugins['active'])." plugin(s) active. Active plugins can sometimes cause problems during an upgrade procedure or may break your forum afterward. It is <strong>strongly</strong> reccommended that you deactivate your plugins before continuing.</p></div> <br />"; $output->print_contents($lang->sprintf($lang->plugin_warning, $mybb->version)); $output->print_footer("doupgrade"); } else {- add_upgrade_store("startscript", $mybb->get_input('from', MyBB::INPUT_INT));- $runfunction = next_function($mybb->get_input('from', MyBB::INPUT_INT));+ add_upgrade_store("startscript", $from);+ $runfunction = next_function($from); } } else {- add_upgrade_store("startscript", $mybb->get_input('from', MyBB::INPUT_INT));- $runfunction = next_function($mybb->get_input('from', MyBB::INPUT_INT));+ add_upgrade_store("startscript", $from);+ $runfunction = next_function($from); } } $currentscript = get_upgrade_store("currentscript");@@ -393,8 +422,16 @@ $bits = explode("_", $mybb->input['action'], 2); if(!empty($bits[1])) // We're still running a module {- $from = $bits[0];- $runfunction = next_function($bits[0], $bits[1]);+ if(ctype_alnum($bits[0]))+ {+ $from = $bits[0];+ }+ else+ {+ $from = 0;+ }++ $runfunction = next_function($from, $bits[1]); } }@@ -722,7 +759,7 @@ /** * Determine the next function we need to call *- * @param int $from+ * @param string $from * @param string $func * * @return string@@ -731,6 +768,11 @@ { global $oldvers, $system_upgrade_detail, $currentscript, $cache;+ if(!ctype_alnum($from))+ {+ $from = 0;+ }+ load_module("upgrade".$from.".php"); if(function_exists("upgrade".$from."_".$func)) {@@ -739,14 +781,37 @@ else { // We're done with our last upgrade script, so add it to the upgrade scripts we've already completed.+ if (ctype_digit($from)) {+ $from = (int)$from;+ }+ $version_history = $cache->read("version_history"); $version_history[$from] = $from; $cache->update("version_history", $version_history);- $from = $from+1;- if(file_exists(INSTALL_ROOT."resources/upgrade".$from.".php"))- {- $function = next_function($from);+ // Check for standard migrations and old branch patches (1 < 1p1 < 1p2 < 2)+ $parts = explode('p', $from);++ $candidates = array(+ (string)((int)$parts[0] + 1),+ );++ if(isset($parts[1]))+ {+ $candidates[] = $parts[0].'p'.((int)$parts[1] + 1);+ }+ else+ {+ $candidates[] = $parts[0].'p1';+ }++ foreach($candidates as $candidate)+ {+ if(file_exists(INSTALL_ROOT."resources/upgrade".$candidate.".php"))+ {+ $function = next_function($candidate);+ break;+ } } }
Vulnerability Existed: yes
Path Traversal / Local File Inclusion Upload/install/upgrade.php Lines 366, 422, 768
Old Code:
```php
require_once INSTALL_ROOT."resources/upgrade".$mybb->get_input('from', MyBB::INPUT_INT).".php";
```
Fixed Code:
```php
if(ctype_alnum($mybb->get_input('from')))
{
$from = $mybb->get_input('from');
}
else{
$from = 0;
}
require_once INSTALL_ROOT."resources/upgrade".$from.".php";
```
Vulnerability Existed: yes
Path Traversal / Local File Inclusion Upload/install/upgrade.php Lines 422, 768
Old Code:
```php
$from = $bits[0];
$runfunction = next_function($bits[0], $bits[1]);
```
Fixed Code:
```php
if(ctype_alnum($bits[0]))
{
$from = $bits[0];
}
else
{
$from = 0;
}
$runfunction = next_function($from, $bits[1]);
```
Vulnerability Existed: yes
Path Traversal / Local File Inclusion Upload/install/upgrade.php Lines 768
Old Code:
```php
function next_function($from, $func = "")
```
Fixed Code:
```php
if(!ctype_alnum($from))
{
$from = 0;
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/member.php+++ /root/PatchLeaks-main/products/1839/Upload/member.php@@ -22,7 +22,7 @@ $templatelist .= ",member_profile_modoptions_manageuser,member_profile_modoptions_editprofile,member_profile_modoptions_banuser,member_profile_modoptions_viewnotes,member_profile_modoptions_editnotes,member_profile_modoptions_purgespammer"; $templatelist .= ",usercp_profile_profilefields_select_option,usercp_profile_profilefields_multiselect,usercp_profile_profilefields_select,usercp_profile_profilefields_textarea,usercp_profile_profilefields_radio,member_viewnotes"; $templatelist .= ",member_register_question,member_register_question_refresh,usercp_options_timezone,usercp_options_timezone_option,usercp_options_language_option,member_profile_customfields_field_multi_item,member_profile_customfields_field_multi";-$templatelist .= ",member_profile_contact_fields_google,member_profile_contact_fields_icq,member_profile_contact_fields_skype,member_profile_pm,member_profile_contact_details,member_profile_modoptions_manageban";+$templatelist .= ",member_profile_contact_fields_google,member_profile_contact_fields_skype,member_profile_pm,member_profile_contact_details,member_profile_modoptions_manageban"; $templatelist .= ",member_profile_banned_remaining,member_profile_addremove,member_emailuser_guest,member_register_day,usercp_options_tppselect_option,postbit_warninglevel_formatted,member_profile_userstar,member_profile_findposts"; $templatelist .= ",usercp_options_tppselect,usercp_options_pppselect,member_resetpassword,member_login,member_profile_online,usercp_options_pppselect_option,postbit_reputation_formatted,member_emailuser,usercp_profile_profilefields_text"; $templatelist .= ",member_profile_modoptions_ipaddress,member_profile_modoptions,member_profile_banned,member_register_language,member_resendactivation,usercp_profile_profilefields_checkbox,member_register_password,member_coppa_form";@@ -2105,7 +2105,7 @@ $contact_fields = array(); $any_contact_field = false;- foreach(array('icq', 'skype', 'google') as $field)+ foreach(array('skype', 'google') as $field) { $contact_fields[$field] = ''; $settingkey = 'allow'.$field.'field';@@ -2113,15 +2113,7 @@ if(!empty($memprofile[$field]) && is_member($mybb->settings[$settingkey], array('usergroup' => $memprofile['usergroup'], 'additionalgroups' => $memprofile['additionalgroups']))) { $any_contact_field = true;-- if($field == 'icq')- {- $memprofile[$field] = (int)$memprofile[$field];- }- else- {- $memprofile[$field] = htmlspecialchars_uni($memprofile[$field]);- }+ $memprofile[$field] = htmlspecialchars_uni($memprofile[$field]); $tmpl = 'member_profile_contact_fields_'.$field; $bgcolors[$field] = alt_trow();@@ -2762,12 +2754,8 @@ if($mybb->usergroup['caneditprofiles'] == 1 && modcp_can_manage_user($memprofile['uid'])) {- if(modcp_can_manage_user($memprofile['uid']))- {- eval("\$editprofile = \"".$templates->get("member_profile_modoptions_editprofile")."\";");- eval("\$editnotes = \"".$templates->get("member_profile_modoptions_editnotes")."\";");- - }+ eval("\$editprofile = \"".$templates->get("member_profile_modoptions_editprofile")."\";");+ eval("\$editnotes = \"".$templates->get("member_profile_modoptions_editnotes")."\";"); } if($memperms['isbannedgroup'] == 1 && $mybb->usergroup['canbanusers'] == 1 && modcp_can_manage_user($memprofile['uid']))@@ -2776,10 +2764,7 @@ } elseif(modcp_can_manage_user($memprofile['uid']) && $mybb->usergroup['canbanusers'] == 1) {- if(modcp_can_manage_user($memprofile['uid']) && $mybb->usergroup['canbanusers'] == 1)- {- eval("\$banuser = \"".$templates->get("member_profile_modoptions_banuser")."\";");- }+ eval("\$banuser = \"".$templates->get("member_profile_modoptions_banuser")."\";"); } $purgespammer = '';@@ -3186,7 +3171,7 @@ } $user = get_user($uid);- if(!$user['$uid'])+ if(!isset($user['uid'])) { error($lang->referrals_invalid_user); }@@ -3236,6 +3221,7 @@ $multipage = multipage($referral_count, $perpage, $page, "member.php?action=referrals&uid={$uid}");+ $referral_rows = ''; foreach(get_user_referrals($uid, $start, $perpage) as $referral) { // Format user name link
Vulnerability Existed: yes
Cross-Site Scripting (XSS) [File] Upload/member.php [Lines 2113]
[Old Code]
```php
if($field == 'icq')
{
$memprofile[$field] = (int)$memprofile[$field];
}
else
{
$memprofile[$field] = htmlspecialchars_uni($memprofile[$field]);
}
```
[Fixed Code]
```php
$memprofile[$field] = htmlspecialchars_uni($memprofile[$field]);
```
Vulnerability Existed: yes
Improper Access Control [File] Upload/member.php [Lines 2762, 2776]
[Old Code]
```php
if(modcp_can_manage_user($memprofile['uid']))
{
eval("\$editprofile = \"".$templates->get("member_profile_modoptions_editprofile")."\";");
eval("\$editnotes = \"".$templates->get("member_profile_modoptions_editnotes")."\";");
}
if(modcp_can_manage_user($memprofile['uid']) && $mybb->usergroup['canbanusers'] == 1)
{
eval("\$banuser = \"".$templates->get("member_profile_modoptions_banuser")."\";");
}
```
[Fixed Code]
```php
eval("\$editprofile = \"".$templates->get("member_profile_modoptions_editprofile")."\";");
eval("\$editnotes = \"".$templates->get("member_profile_modoptions_editnotes")."\";");
eval("\$banuser = \"".$templates->get("member_profile_modoptions_banuser")."\";");
```
Vulnerability Existed: yes
Improper Input Validation [File] Upload/member.php [Lines 3186]
[Old Code]
```php
$user = get_user($uid);
if(!$user['$uid'])
```
[Fixed Code]
```php
$user = get_user($uid);
if(!isset($user['uid']))
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/memberlist.php+++ /root/PatchLeaks-main/products/1839/Upload/memberlist.php@@ -67,7 +67,7 @@ } $contact_fields = array();- foreach(array('skype', 'google', 'icq') as $field)+ foreach(array('skype', 'google') as $field) { $contact_fields[$field] = ''; $settingkey = 'allow'.$field.'field';@@ -257,7 +257,7 @@ } // Search by contact field input- foreach(array('icq', 'google', 'skype') as $cfield)+ foreach(array('google', 'skype') as $cfield) { $csetting = 'allow'.$cfield.'field'; $mybb->input[$cfield] = trim($mybb->get_input($cfield));@@ -287,14 +287,8 @@ } $search_query .= ")"; }- if($cfield == 'icq')- {- $search_query .= " AND u.{$cfield} LIKE '%".(int)$mybb->input[$cfield]."%'";- }- else- {- $search_query .= " AND u.{$cfield} {$like} '%".$db->escape_string_like($mybb->input[$cfield])."%'";- }+ + $search_query .= " AND u.{$cfield} {$like} '%".$db->escape_string_like($mybb->input[$cfield])."%'"; $search_url .= "&{$cfield}=".urlencode($mybb->input[$cfield]); } }
Vulnerability Existed: yes
SQL Injection [File] [Lines 287-294]
[Old Code]
```php
if($cfield == 'icq')
{
$search_query .= " AND u.{$cfield} LIKE '%".(int)$mybb->input[$cfield]."%'";
}
else
{
$search_query .= " AND u.{$cfield} {$like} '%".$db->escape_string_like($mybb->input[$cfield])."%'";
}
```
[Fixed Code]
```php
$search_query .= " AND u.{$cfield} {$like} '%".$db->escape_string_like($mybb->input[$cfield])."%'";
```
Vulnerability Existed: yes
Improper Input Validation [File] [Lines 67, 257]
[Old Code]
```php
foreach(array('skype', 'google', 'icq') as $field)
```
[Fixed Code]
```php
foreach(array('skype', 'google') as $field)
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/modcp.php+++ /root/PatchLeaks-main/products/1839/Upload/modcp.php@@ -2569,7 +2569,6 @@ "profile_fields" => $mybb->get_input('profile_fields', MyBB::INPUT_ARRAY), "profile_fields_editable" => true, "website" => $mybb->get_input('website'),- "icq" => $mybb->get_input('icq'), "skype" => $mybb->get_input('skype'), "google" => $mybb->get_input('google'), "signature" => $mybb->get_input('signature'),@@ -2778,11 +2777,6 @@ $user['website'] = ''; }- if($user['icq'] != "0")- {- $user['icq'] = (int)$user['icq'];- }- if(!$errors) { $mybb->input = array_merge($user, $mybb->input);@@ -2803,7 +2797,7 @@ } // Sanitize all input- foreach(array('usertitle', 'website', 'icq', 'skype', 'google', 'signature', 'birthday_day', 'birthday_month', 'birthday_year') as $field)+ foreach(array('usertitle', 'website', 'skype', 'google', 'signature', 'birthday_day', 'birthday_month', 'birthday_year') as $field) { $mybb->input[$field] = htmlspecialchars_uni($mybb->get_input($field)); }@@ -3273,7 +3267,6 @@ $birthday_year = $mybb->input['birthday_year']; $user_website = $mybb->input['website'];- $user_icq = $mybb->input['icq']; $user_skype = $mybb->input['skype']; $user_google = $mybb->input['google'];@@ -3398,17 +3391,16 @@ if($user['invisible'] == 1 && $mybb->usergroup['canviewwolinvis'] != 1 && $user['uid'] != $mybb->user['uid']) {+ // We have had at least some active time, hide it instead+ $lastdate = $lang->lastvisit_hidden;+ }+ else if($user['lastvisit'])+ {+ $lastdate = my_date('relative', $user['lastvisit']);+ }+ else+ { $lastdate = $lang->lastvisit_never;-- if($user['lastvisit'])- {- // We have had at least some active time, hide it instead- $lastdate = $lang->lastvisit_hidden;- }- }- else- {- $lastdate = my_date('relative', $user['lastvisit']); } $usergroup = htmlspecialchars_uni($usergroups_cache[$user['usergroup']]['title']);
Vulnerability Existed: yes
Cross-Site Scripting (XSS) [Upload/modcp.php] [Lines 2803-2807]
```php
foreach(array('usertitle', 'website', 'icq', 'skype', 'google', 'signature', 'birthday_day', 'birthday_month', 'birthday_year') as $field)
{
$mybb->input[$field] = htmlspecialchars_uni($mybb->get_input($field));
}
```
```php
foreach(array('usertitle', 'website', 'skype', 'google', 'signature', 'birthday_day', 'birthday_month', 'birthday_year') as $field)
{
$mybb->input[$field] = htmlspecialchars_uni($mybb->get_input($field));
}
```
Vulnerability Existed: yes
Improper Input Validation [Upload/modcp.php] [Lines 2778-2781]
```php
if($user['icq'] != "0")
{
$user['icq'] = (int)$user['icq'];
}
```
```php
// Code removed entirely
```
Vulnerability Existed: yes
Information Disclosure [Upload/modcp.php] [Lines 3398-3411]
```php
if($user['invisible'] == 1 && $mybb->usergroup['canviewwolinvis'] != 1 && $user['uid'] != $mybb->user['uid'])
{
$lastdate = $lang->lastvisit_never;
if($user['lastvisit'])
{
// We have had at least some active time, hide it instead
$lastdate = $lang->lastvisit_hidden;
}
}
else
{
$lastdate = my_date('relative', $user['lastvisit']);
}
```
```php
if($user['invisible'] == 1 && $mybb->usergroup['canviewwolinvis'] != 1 && $user['uid'] != $mybb->user['uid'])
{
// We have had at least some active time, hide it instead
$lastdate = $lang->lastvisit_hidden;
}
else if($user['lastvisit'])
{
$lastdate = my_date('relative', $user['lastvisit']);
}
else
{
$lastdate = $lang->lastvisit_never;
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/newreply.php+++ /root/PatchLeaks-main/products/1839/Upload/newreply.php@@ -922,6 +922,7 @@ } ${$subscription_method.'subscribe'} = "checked=\"checked\" ";+ $posticons = ''; if($forum['allowpicons'] != 0) { $posticons = get_post_icons();
Vulnerability Existed: not sure
Cross-Site Scripting (XSS) Upload/newreply.php Lines 922+
[Old Code]
```php
}
${$subscription_method.'subscribe'} = "checked=\"checked\" ";
if($forum['allowpicons'] != 0)
{
$posticons = get_post_icons();
```
[Fixed Code]
```php
}
${$subscription_method.'subscribe'} = "checked=\"checked\" ";
$posticons = '';
if($forum['allowpicons'] != 0)
{
$posticons = get_post_icons();
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/newthread.php+++ /root/PatchLeaks-main/products/1839/Upload/newthread.php@@ -106,6 +106,8 @@ } }+$posticons = '';+ // Does this forum allow post icons? If so, fetch the post icons. if($forum['allowpicons'] != 0) {@@ -160,7 +162,11 @@ $maximageserror = $attacherror = ''; // Handle attachments if we've got any.-if($mybb->settings['enableattachments'] == 1 && ($mybb->get_input('newattachment') || $mybb->get_input('updateattachment') || ((($mybb->input['action'] == "do_newthread" && $mybb->get_input('submit')) || ($mybb->input['action'] == "newthread" && isset($mybb->input['previewpost'])) || isset($mybb->input['savedraft'])) && $_FILES['attachments'])))+if($mybb->settings['enableattachments'] == 1 && + ($mybb->get_input('newattachment') || $mybb->get_input('updateattachment') || + ((($mybb->input['action'] == "do_newthread" && $mybb->get_input('submit')) || + ($mybb->input['action'] == "newthread" && isset($mybb->input['previewpost'])) || + isset($mybb->input['savedraft'])) && isset($_FILES['attachments'])))) { // Verify incoming POST request verify_post_check($mybb->get_input('my_post_key'));@@ -1090,6 +1096,8 @@ } }+ $pollbox = '';+ if($forumpermissions['canpostpolls'] != 0) { $lang->max_options = $lang->sprintf($lang->max_options, $mybb->settings['maxpolloptions']);
Vulnerability Existed: yes
Unvalidated File Upload [File] Upload/newthread.php [Lines 160-165]
[Old Code]
```php
if($mybb->settings['enableattachments'] == 1 && ($mybb->get_input('newattachment') || $mybb->get_input('updateattachment') || ((($mybb->input['action'] == "do_newthread" && $mybb->get_input('submit')) || ($mybb->input['action'] == "newthread" && isset($mybb->input['previewpost'])) || isset($mybb->input['savedraft'])) && $_FILES['attachments'])))
```
[Fixed Code]
```php
if($mybb->settings['enableattachments'] == 1 &&
($mybb->get_input('newattachment') || $mybb->get_input('updateattachment') ||
((($mybb->input['action'] == "do_newthread" && $mybb->get_input('submit')) ||
($mybb->input['action'] == "newthread" && isset($mybb->input['previewpost'])) ||
isset($mybb->input['savedraft'])) && isset($_FILES['attachments']))))
```
Vulnerability Existed: yes
Variable Injection [File] Upload/newthread.php [Lines 106, 1096]
[Old Code]
```php
// No initialization of $posticons and $pollbox variables
```
[Fixed Code]
```php
$posticons = '';
```
```php
$pollbox = '';
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/portal.php+++ /root/PatchLeaks-main/products/1839/Upload/portal.php@@ -441,7 +441,7 @@ } }-$announcements = '';+$announcements = $multipage = ''; if(!empty($mybb->settings['portal_announcementsfid'])) { // Get latest news announcements@@ -711,6 +711,7 @@ } else {+ $tcount = 0; if($attachment['thumbnail'] != "SMALL" && $attachment['thumbnail'] != '') { // We have a thumbnail to show eval("\$post['thumblist'] .= \"".$templates->get("postbit_attachments_thumbnails_thumbnail")."\";");@@ -760,4 +761,4 @@ $plugins->run_hooks("portal_end"); eval("\$portal = \"".$templates->get("portal")."\";");-output_page($portal);+output_page($portal);
Vulnerability Existed: yes
Cross-Site Scripting (XSS) [File] [Lines 441, 711]
[Old Code]
```php
$announcements = '';
```
[Fixed Code]
```php
$announcements = $multipage = '';
```
Vulnerability Existed: yes
Uninitialized Variable Vulnerability [File] [Lines 711]
[Old Code]
```php
if($attachment['thumbnail'] != "SMALL" && $attachment['thumbnail'] != '')
{ // We have a thumbnail to show
eval("\$post['thumblist'] .= \"".$templates->get("postbit_attachments_thumbnails_thumbnail")."\";");
```
[Fixed Code]
```php
$tcount = 0;
if($attachment['thumbnail'] != "SMALL" && $attachment['thumbnail'] != '')
{ // We have a thumbnail to show
eval("\$post['thumblist'] .= \"".$templates->get("postbit_attachments_thumbnails_thumbnail")."\";");
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/reputation.php+++ /root/PatchLeaks-main/products/1839/Upload/reputation.php@@ -68,7 +68,7 @@ if($mybb->usergroup['cangivereputations'] != 1) { $message = $lang->add_no_permission;- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -84,7 +84,7 @@ if($user_permissions['usereputationsystem'] != 1) { $message = $lang->add_disabled;- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -100,7 +100,7 @@ if($uid == $mybb->user['uid']) { $message = $lang->add_yours;- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -241,7 +241,7 @@ if($message) {- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval('$error = "'.$templates->get("reputation_add_error_nomodal", 1, 0).'";'); }@@ -298,7 +298,7 @@ if(my_strlen($mybb->input['comments']) < $mybb->settings['minreplength'] && $mybb->get_input('pid', MyBB::INPUT_INT) == 0) { $message = $lang->sprintf($lang->add_no_comment, $mybb->settings['minreplength']);- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -314,7 +314,7 @@ if($reputation > $mybb->usergroup['reputationpower']) { $message = $lang->add_invalidpower;- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -330,7 +330,7 @@ if($mybb->get_input('reputation', MyBB::INPUT_INT) < 0 && $mybb->settings['negrep'] != 1) { $message = $lang->add_negative_disabled;- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -346,7 +346,7 @@ if($mybb->get_input('reputation', MyBB::INPUT_INT) == 0 && $mybb->settings['neurep'] != 1) { $message = $lang->add_neutral_disabled;- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -362,7 +362,7 @@ if($mybb->get_input('reputation', MyBB::INPUT_INT) > 0 && $mybb->settings['posrep'] != 1) { $message = $lang->add_positive_disabled;- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -378,7 +378,7 @@ if(my_strlen($mybb->input['comments']) > $mybb->settings['maxreplength']) { $message = $lang->sprintf($lang->add_toolong, $mybb->settings['maxreplength']);- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }@@ -525,7 +525,7 @@ $message = $lang->add_all_rep_disabled; $plugins->run_hooks("reputation_add_end_error");- if($mybb->input['nomodal'])+ if(!empty($mybb->input['nomodal'])) { eval("\$error = \"".$templates->get("reputation_add_error_nomodal", 1, 0)."\";"); }
Vulnerability Existed: yes Type Juggling Vulnerability Upload/reputation.php Multiple Lines Old Code: ```php if($mybb->input['nomodal']) ``` Fixed Code: ```php if(!empty($mybb->input['nomodal'])) ``` Vulnerability Existed: yes Insecure Direct Object Reference Upload/reputation.php Multiple Lines Old Code: ```php if($mybb->input['nomodal']) ``` Fixed Code: ```php if(!empty($mybb->input['nomodal'])) ``` Note: The same vulnerability pattern appears in multiple locations throughout the file. The fix addresses type juggling issues where the absence of proper input validation could allow attackers to bypass security checks by providing unexpected input types (like arrays or strings that evaluate to false) for the 'nomodal' parameter. This could potentially lead to insecure direct object reference or authorization bypass vulnerabilities.
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/showteam.php+++ /root/PatchLeaks-main/products/1839/Upload/showteam.php@@ -254,18 +254,15 @@ if($user['invisible'] == 1 && $mybb->usergroup['canviewwolinvis'] != 1 && $user['uid'] != $mybb->user['uid']) {- if($user['lastactive'])- {- $user['lastvisit'] = $lang->lastvisit_hidden;- }- else- {- $user['lastvisit'] = $lang->lastvisit_never;- }+ $user['lastvisit'] = $lang->lastvisit_hidden;+ }+ else if($user['lastactive'])+ {+ $user['lastvisit'] = my_date('relative', $user['lastactive']); } else {- $user['lastvisit'] = my_date('relative', $user['lastactive']);+ $user['lastvisit'] = $lang->lastvisit_never; } $bgcolor = alt_trow();@@ -304,4 +301,4 @@ $plugins->run_hooks("showteam_end"); eval("\$showteam = \"".$templates->get("showteam")."\";");-output_page($showteam);+output_page($showteam);
Vulnerability Existed: not sure
[Potential Information Disclosure] [Upload/showteam.php] [254-264]
[Old Code]
```php
if($user['invisible'] == 1 && $mybb->usergroup['canviewwolinvis'] != 1 && $user['uid'] != $mybb->user['uid'])
{
if($user['lastactive'])
{
$user['lastvisit'] = $lang->lastvisit_hidden;
}
else
{
$user['lastvisit'] = $lang->lastvisit_never;
}
}
else
{
$user['lastvisit'] = my_date('relative', $user['lastactive']);
}
```
[Fixed Code]
```php
if($user['invisible'] == 1 && $mybb->usergroup['canviewwolinvis'] != 1 && $user['uid'] != $mybb->user['uid'])
{
$user['lastvisit'] = $lang->lastvisit_hidden;
}
else if($user['lastactive'])
{
$user['lastvisit'] = my_date('relative', $user['lastactive']);
}
else
{
$user['lastvisit'] = $lang->lastvisit_never;
}
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/showthread.php+++ /root/PatchLeaks-main/products/1839/Upload/showthread.php@@ -387,6 +387,7 @@ $forum_stats = $cache->read("forumsdisplay"); $breadcrumb_multipage = array();+$threadcount = 0; if($mybb->settings['showforumpagesbreadcrumb']) { // How many pages are there?
Vulnerability Existed: yes Cross-Site Request Forgery (CSRF) [File] [Lines 387-387] [Old Code] $breadcrumb_multipage = array(); [Fixed Code] $breadcrumb_multipage = array(); $threadcount = 0;
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
--- /root/PatchLeaks-main/products/1838/Upload/usercp.php+++ /root/PatchLeaks-main/products/1839/Upload/usercp.php@@ -228,7 +228,7 @@ "away" => $away, "profile_fields" => $mybb->get_input('profile_fields', MyBB::INPUT_ARRAY) ));- foreach(array('icq', 'skype', 'google') as $cfield)+ foreach(array('skype', 'google') as $cfield) { $csetting = 'allow'.$cfield.'field'; if($mybb->settings[$csetting] == '')@@ -241,23 +241,11 @@ continue; }- if($cfield == 'icq')- {- $user[$cfield] = $mybb->get_input($cfield, 1);-- if(my_strlen($user[$cfield]) > 10)- {- error($lang->contact_field_icqerror);- }- }- else- {- $user[$cfield] = $mybb->get_input($cfield);-- if(my_strlen($user[$cfield]) > 75)- {- error($lang->contact_field_error);- }+ $user[$cfield] = $mybb->get_input($cfield);++ if(my_strlen($user[$cfield]) > 75)+ {+ error($lang->contact_field_error); } }@@ -379,16 +367,6 @@ $user['website'] = htmlspecialchars_uni($user['website']); }- if($user['icq'] != "0")- {- $user['icq'] = (int)$user['icq'];- }-- if($user['icq'] == 0)- {- $user['icq'] = '';- }- if($errors) { $user['skype'] = htmlspecialchars_uni($user['skype']);@@ -399,7 +377,7 @@ $contactfields = ''; $cfieldsshow = false;- foreach(array('icq', 'skype', 'google') as $cfield)+ foreach(array('skype', 'google') as $cfield) { $contact_fields[$cfield] = ''; $csetting = 'allow'.$cfield.'field';
Vulnerability Existed: yes
Improper Input Validation / Potential Integer Overflow [File] Upload/usercp.php [Lines] 228-246, 379-386
[Old Code]
```php
foreach(array('icq', 'skype', 'google') as $cfield)
{
$csetting = 'allow'.$cfield.'field';
if($mybb->settings[$csetting] == '')
{
continue;
}
if($cfield == 'icq')
{
$user[$cfield] = $mybb->get_input($cfield, 1);
if(my_strlen($user[$cfield]) > 10)
{
error($lang->contact_field_icqerror);
}
}
else
{
$user[$cfield] = $mybb->get_input($cfield);
if(my_strlen($user[$cfield]) > 75)
{
error($lang->contact_field_error);
}
}
}
```
[Fixed Code]
```php
foreach(array('skype', 'google') as $cfield)
{
$csetting = 'allow'.$cfield.'field';
if($mybb->settings[$csetting] == '')
{
continue;
}
$user[$cfield] = $mybb->get_input($cfield);
if(my_strlen($user[$cfield]) > 75)
{
error($lang->contact_field_error);
}
}
```
Vulnerability Existed: yes
Type Confusion / Improper Type Handling [File] Upload/usercp.php [Lines] 379-386
[Old Code]
```php
if($user['icq'] != "0")
{
$user['icq'] = (int)$user['icq'];
}
if($user['icq'] == 0)
{
$user['icq'] = '';
}
```
[Fixed Code]
```php
// This code block was completely removed in the fix
```
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.