MyBB Community Forums

A member told me that there was an XSS vulnerability in this plugin:

http://mods.mybb.com/view/registration-s...y-question

I highly doubt it, considering the author is a support technician, but is this true?

I don't know how there would be an XSS in that plugin. The user input is never displayed. If you can display HTML in the question, that's not an XSS vulnerability.

Ask him for a proof of concept.

http://gyazo.com/67eee063434853a21984805...1356133601

It appears to be because of that.

Line 37:

	$prefix = 'g33k_'.$codename.'_';

No problem there.
He said something similar here about another plugin: http://yaldaram.com/thread-4963-post-225...l#pid22585

That line is empty.

He's just trying to be a l33t hacker scaring people.

Ah, thanks.

Just wanted to make sure.

@ Xeronations - next time you think there might be a vulnerability please report it in Private Inquiries rather than the open forum.

(2012-12-22, 12:28 AM)Paul H. Wrote: [ -> ]Line 37:

	$prefix = 'g33k_'.$codename.'_';

No problem there.
He said something similar here about another plugin: http://yaldaram.com/thread-4963-post-225...l#pid22585

That line is empty.

He's just trying to be a l33t hacker scaring people.

CAN WE REMOVE THAT LINE????
Line 37:

	$prefix = 'g33k_'.$codename.'_';

(2015-02-09, 08:10 AM)Dr_The_One Wrote: [ -> ]CAN WE REMOVE THAT LINE????
Line 37:

	$prefix = 'g33k_'.$codename.'_';

Uhhhh... no. If you do that, you'll break the plugin's ability to function.

Read: http://community.mybb.com/thread-129189-page-2.html
The updated reg security question file download is the last post.
Update your files with it and make a change or two to your questions and then the plug-in will works as designed.