Hi all
I've found following code in forumdisplay.php (MyBB 1.6.10). Is it malicious? a backdoor or so...
// Needs to be initialized in order to speed-up things. Fixes #2031
$orderarrow = array('rating'=>'', 'subject'=>'', 'starter'=>'', 'replies'=>'', 'views'=>'');
eval("\$orderarrow['$sortby'] = \"".$templates->get("forumdisplay_orderarrow")."\";");
Why would it be?
For example, if you have the following code, PHP will parse $variable as its actual value.
$variable = "test";
echo "this is variable's value: {$variable}";
MyBB uses eval to "execute" templates so that the variables get replaced with their values. There is nothing insecure about the code you have posted.
Thanks
I have a wordpress plugin which recognizes that code as suspicious.
Thanks again for your help
The code is suspicious. It would be malicious if $sortby, which is originally untrustworthy user input, were not cleaned properly. That's the case though (although not obviously so). So not a problem, hopefully.
The code could be improved if this were implemented:
https://github.com/firestryke31/mybb/com...03f341cf0a (although there's an error in this particular line of the suggested commit)
Edit: In case the wordpress plugin (which one?) warned because it has eval(), which is evil - well, MyBB uses that for all its templates everywhere. It's only malicious if someone managed to put malicious code in your templates.