MyBB Community Forums

MyBB Community Forums > 1.8 Support > General Support > Potential security issue
Full Version: Potential security issue
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

starfan28

2015-10-12, 03:45 PM
I was following this post to change the background image of the 'owners' posts to an image. I copied the default postbit code and pasted it into a notepad on my computer. After seeing that the changes the other post said to do had no effect, I reverted the changes and was given the message "A potential security issue has been found in the template"

changes made:

Added this code to showthread.css

.usergroup4 {
    color: white;
    background-color: red;
    background-image: none;
}

Added this code to postbit
{$ignore_bit}
<a name="pid{$post['pid']}" id="pid{$post['pid']}"></a>
<table border="0" cellspacing="{$theme['borderwidth']}" cellpadding="{$theme['tablespace']}" class="tborder" style="{$post_extra_style} {$post_visibility}" id="post_{$post['pid']}">
     <tbody>
         <tr>
             <td class="tcat">
                 <div class="float_left smalltext">
                     {$post['postdate']}, {$post['posttime']} <span id="edited_by_{$post['pid']}">{$post['editedmsg']}</span>
                 </div>
                 {$post['posturl']}
             </td>
         </tr>

         <tr>
             <td class="trow1 {$unapproved_shade}">
                 <table cellspacing="0" cellpadding="0" border="0" style="width: 100%;">
                     <tr>
                         <td class="post_avatar" width="1" style="{$post['avatar_padding']}">
                             {$post['useravatar']}
                         </td>
                         <td class="post_author">
                             <strong><span class="largetext">{$post['profilelink']}</span></strong> {$post['onlinestatus']}<br />
                             <span class="smalltext">
                                 {$post['usertitle']}<br />
                                 {$post['userstars']}
                                 {$post['groupimage']}
                             </span>
                         </td>
                         <td class="smalltext post_author_info" width="165">
                             {$post['user_details']}
                         </td>
                     </tr>
                 </table>
             </td>
         </tr>

         <tr>
             <td class="trow2 post_content usergroup{$post['usergroup']} {$unapproved_shade}">
                 <span class="smalltext"><strong>{$post['icon']}{$post['subject']} {$post['subject_extra']}</strong></span>

                 <div class="post_body" id="pid_{$post['pid']}">
                     {$post['message']}
                 </div>
                 {$post['attachments']}
                 {$post['signature']}

                 <div class="post_meta" id="post_meta_{$post['pid']}">
                 {$post['iplogged']}
                 </div>
             </td>
         </tr>

         <tr>
             <td class="trow1 post_buttons {$unapproved_shade}">
                 <div class="author_buttons float_left">
                     {$post['button_email']}{$post['button_pm']}{$post['button_www']}{$post['button_find']}{$post['button_rep']}
                 </div>
                 <div class="post_management_buttons float_right">{$post['button_spam']}{$post['button_edit']}{$post['button_quickdelete']}{$post['button_quote']}{$post['button_multiquote']}{$post['button_report']}{$post['button_warn']}{$post['button_reply_pm']}{$post['button_replyall_pm']}{$post['button_forward_pm']}{$post['button_delete_pm']}
                 </div>
             </td>
         </tr>
     </tbody>
</table>




Original code below:

showthread.css
padding-left: 24px;
padding-bottom: 4px;
margin-bottom: 3px;
postbit
{$ignore_bit}
<a name="pid{$post['pid']}" id="pid{$post['pid']}"></a>
<div class="post {$unapproved_shade}" style="{$post_visibility}" 

id="post_{$post['pid']}">
<div class="post_author">
	{$post['useravatar']}
	<div class="author_information">
			<strong><span class="largetext">{$post

['profilelink']}</span></strong> {$post['onlinestatus']}<br />
			<span class="smalltext">
				{$post['userstars']}
				{$post['groupimage']}
			</span>
	</div>
	<div class="author_statistics">
		{$post['user_details']}
	</div>
</div>
<div class="post_content">
	<div class="post_head">
		{$post['posturl']}
		{$post['icon']}
		<span class="post_date">{$post['postdate']} <span 

class="post_edit" id="edited_by_{$post['pid']}">{$post['editedmsg']}

</span></span>
		{$post['subject_extra']}
	</div>
	<div class="post_body scaleimages" id="pid_{$post['pid']}">
		{$post['message']}
	</div>
	{$post['attachments']}
	{$post['signature']}
	<div class="post_meta" id="post_meta_{$post['pid']}">
		
	</div>
</div>
<div class="post_controls">
	<div class="postbit_buttons author_buttons float_left">
		{$post['button_email']}{$post['button_pm']}{$post

['button_www']}{$post['button_find']}{$post['button_rep']}{$post

['iplogged']}
	</div>
	<div class="postbit_buttons post_management_buttons float_right">
		{$post['button_edit']}{$post['button_quickdelete']}

{$post['button_quickrestore']}{$post['button_quote']}{$post

['button_multiquote']}{$post['button_report']}{$post['button_warn']}

{$post['button_purgespammer']}{$post['button_reply_pm']}{$post

['button_replyall_pm']}{$post['button_forward_pm']}{$post

['button_delete_pm']}
	</div>
</div>
</div>
MyBB Community Forums > 1.8 Support > General Support > Potential security issue