MyBB Community Forums

So i have noticed that if you go to /search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=
on any site then you get an error. You can try this on your own forums or on this forum.

How To patch :

edit search.php and find this line :


$sid = $db->escape_string($mybb->input['sid']);


change this line to :


if(is_array($mybb->input['sid']))
$sid = $db->escape_string(implode($mybb->input['sid']));
else
$sid = $db->escape_string($mybb->input['sid']);

We're aware of this but as there are many more places where this occurs we won't fix this in 1.6 - but it's already fixed in 1.8

(2014-05-19, 07:16 PM)King Louis Wrote: [ -> ]We're aware of this but as there are many more places where this occurs we won't fix this in 1.6 - but it's already fixed in 1.8

Ah, sorry for posting then :p

no ok... security fix 4 august 2014... no fix

And:
http://community.mybb.com/search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2

Its been fixed in 1.8 a while back, along with lots of other places where there was a potential for the same problem https://github.com/mybb/mybb/commit/93f3...e611968744

(2014-08-13, 02:07 AM)Leprechaun Wrote: [ -> ]no ok... security fix 4 august 2014... no fix

And:
http://community.mybb.com/search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2

It's not a huge security issue. The only interesting thing it reveals is the PHP version, and there are easier ways of determining that. Even then if you are running on a vulnerable PHP version the attacker doesn't necessarily need to know it to exploit it.

If it bothers you, turn off warnings/errors in production.