MyBB Community Forums

Full Version: Input manipulation causing Full Path Disclosure (ACP-wide)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
While the front-end seems to be pulling the user input using $mybb->get_input() which converts it to the expected types, it is not being done in the ACP and simple input type manipulation (e.g. submitting arrays instead of string values) allows to trigger PHP errors related to provided values' types and functions they have been passed to.

Code sample:

This issue refers to a vast majority of POST forms as well as mechanisms relying on GET parameters present in the ACP.
Yeah, the ACP is a bit of a mess. We need to find the time to go through and fix it up.
Marking as duplicate. There are already several issues, a PR and some things have been fixed already.