2013-01-19, 02:08 PM
Hi guys,
I'm developing a new shoutbox for MyBB as some of you already know, and I succeeded to bring multiple shoutboxes management to the ACP so far. But now I'm stucked at a very annoying issue: basically the code relies on the current location to display, add or delete shouts to the correct database table. If the user is watching the forum with ID = 5, then shouts are displayed from, added to and deleted from TABLE_PREFIX.idlchat_5 table.
Since data is being parsed with xmlhttp.php file, I assumed that $mybb->input object contained the fid value, but it doesn't. Without it I had to create a hidden input with the current fid as value and pass it from Javascript to PHP file, getting all my functions to work properly. But what if the user edits that value with "X", let's say, using Chrome Console? Then the javascript would gather for the wrong fid, and consequently display shouts stored in the TABLE_PREFIX.idlchat_X table, if it exists. This may cause wrong behaviors. For example, if you create a chat into a restricted forum and another one in your Homepage, then an user could easily access the restricted forum's shouts editing the fid.
I know that it's relatively hard to guess this procedure but the less vulns there are the more the plugin will be safe.
I basically have to pass the forum ID without relying on a user-editable value. Is there a way to handle $mybb->input['fid'] value (which is passed to the page) with Javascript, and send it back to PHP? It wouldn't be editable and it would be the solution I'm searching for, but I don't know how to handle that with Javascript.
Any help is appreciated. Thank you for reading!
With regards,
Shade
Oh, googling around I've just noticed POST'ed data can't be handled within front-end unless it's stored somewhere in the DOM. Well, I could easily perform a user permission check to see if the user is allowed to see the shouts for a particular Forum, but it'd be better if I could just know the FID the user is currently in.
Is there a way to add fid to the $mybb->input object in xmlhttp.php? Thank you!
I'm developing a new shoutbox for MyBB as some of you already know, and I succeeded to bring multiple shoutboxes management to the ACP so far. But now I'm stucked at a very annoying issue: basically the code relies on the current location to display, add or delete shouts to the correct database table. If the user is watching the forum with ID = 5, then shouts are displayed from, added to and deleted from TABLE_PREFIX.idlchat_5 table.
Since data is being parsed with xmlhttp.php file, I assumed that $mybb->input object contained the fid value, but it doesn't. Without it I had to create a hidden input with the current fid as value and pass it from Javascript to PHP file, getting all my functions to work properly. But what if the user edits that value with "X", let's say, using Chrome Console? Then the javascript would gather for the wrong fid, and consequently display shouts stored in the TABLE_PREFIX.idlchat_X table, if it exists. This may cause wrong behaviors. For example, if you create a chat into a restricted forum and another one in your Homepage, then an user could easily access the restricted forum's shouts editing the fid.
I know that it's relatively hard to guess this procedure but the less vulns there are the more the plugin will be safe.
I basically have to pass the forum ID without relying on a user-editable value. Is there a way to handle $mybb->input['fid'] value (which is passed to the page) with Javascript, and send it back to PHP? It wouldn't be editable and it would be the solution I'm searching for, but I don't know how to handle that with Javascript.
Any help is appreciated. Thank you for reading!
With regards,
Shade
Oh, googling around I've just noticed POST'ed data can't be handled within front-end unless it's stored somewhere in the DOM. Well, I could easily perform a user permission check to see if the user is allowed to see the shouts for a particular Forum, but it'd be better if I could just know the FID the user is currently in.
Is there a way to add fid to the $mybb->input object in xmlhttp.php? Thank you!