MyBB Community Forums

MyBB Community Forums > Extensions > Plugins > Plugin Development > Myshoutbox 1.7 security problem csrf
Full Version: Myshoutbox 1.7 security problem csrf
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

emiak

2012-03-13, 12:17 PM
Hello some one can help me to secure this plugins because it s a very good plugins but they are some probleme about the security.

for the csrf i know we need to use token

inc/plugins/tpl_sf_shoutbox.txt
find :
Quote:<td class="trow2" align="center"><form onSubmit="ShoutBox.postShout(); $('shout_data').value = ''; return false;">{$lang->sf_sb_shout} <input type="text" id="shout_data" size="50" /> - <input type="submit" value="{$lang->sf_sb_shoutnow}" id="shouting-status" /></form></td>

replace by :
Quote:<td class="trow2" align="center"><form onSubmit="ShoutBox.postShout(); $('shout_data').value = ''; return false;">{$lang->sf_sb_shout} <input type="hidden" id="shout_key" value="{$mybb->post_code}" /><input type="text" id="shout_data" size="50" /> - <input type="submit" value="{$lang->sf_sb_shoutnow}" id="shouting-status" /></form></td>

jscripts/shoutbox.js
find :
Quote:message = $("shout_data").value;

and put this line after :
Quote:key = $("shout_key").value;

find :
Quote:postData = "shout_data="+encodeURIComponent(message).replace(/+/g, "%2B");

replace by :
Quote:postData = "shout_data="+encodeURIComponent(message).replace(/+/g, "%2B")+"&shout_key="+key;

inc/plugins/spicefuse_shoutbox.php
find :
Quote:if ($mybb->user['usergroup'] == 1 OR $mybb->user['uid'] < 1 OR !sb_can_view()) {
die("failed!");
}

and put this line after :
Quote:verify_post_check($mybb->input['shout_key']);

after that desactive/réactive the plugin shoutbox and it s good.


but this correction is for spicefuse shoutbox how i can adapte it for myshoutbox 1.7
because for the last step :


inc/plugins/spicefuse_shoutbox.php
find :
Quote:if ($mybb->user['usergroup'] == 1 OR $mybb->user['uid'] < 1 OR !sb_can_view()) {
die("failed!");
}

i cant find this line on the myshoutbox 1.7 plugins



sorry for my bad english

help me thanks in advance

emiak

2012-03-18, 07:59 AM
no one can help me ????

Diogo Parrinha

2012-03-19, 10:18 AM
Those instructions are for the spicefuse shoutbox and not MyShoutbox thus they may not apply correctly.
There is a CRSF vulnerability for sure which I always forget to fix when I've got some free time. It isn't a big deal though, it won't damage your forum.

emiak

2012-03-25, 01:27 AM
thanks for your reply
MyBB Community Forums > Extensions > Plugins > Plugin Development > Myshoutbox 1.7 security problem csrf