MyBB Community Forums

MyBB Community Forums > 1.8 Support > Security Management and Support > Is my usergroup check secure?
Full Version: Is my usergroup check secure?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

suiluj

2016-04-15, 05:28 PM
Hello MyBB community.

I use the usergroup+additionalgroups system of mybb for permissions management to extra sites on my forum.

At the beginning of these special sites i call a function which checks if the user is in a specific usergroup.
The user can only visit the site if he is in the usergroup, otherwise an error page is shown.

My question is:

Is my usergroup check secure or can some change fake that he is a user, change values, cookies or something like that to gain unallowed access to my page.

This is the usergroup checking part of my function (which is working so far, but as explained i don't know if it is secure):

public static function userisingroup($usergroupname){
		global $mybb;
		if (array_key_exists ( 'additionalgroups' , $mybb->user)){
			if($mybb->user['additionalgroups'])
				$grouparray = explode(",",$mybb->user['additionalgroups']);
		}
		$grouparray[] = $mybb->user['usergroup'];

		if (in_array(self::$usergroupid['banned'], $grouparray)){
			return false;
		}

		if (!in_array(self::$usergroupid[$usergroupname], $grouparray)) {
			return false;
		}
		return true;
	}

As you can see i get the information of the usergroup of the „global $mybb“ variable.

$mybb->user['usergroup']
$mybb->user['additionalgroups']


Is this secure way?
Could someone change the values of this variable?
On this site i read something about „MyBB Global Variable Overwrite Vulnerability“.
Where do the values of the $mybb variable come from?

I am very thankful for an improvement if needed.

Regards
suiluj

Devilshakerz

2016-04-15, 06:03 PM
You should use MyBB's native function: https://github.com/mybb/mybb/blob/mybb_1....php#L6968 (it doesn't check whether the user belongs to the banned group).

(2016-04-15, 05:28 PM)suiluj Wrote: [ -> ]Could someone change the values of this variable?
On this site i read something about „MyBB Global Variable Overwrite Vulnerability“.
The vulnerability worked only with register_globals turned on (not by default) and PHP < 5.4; additionally, MyBB 1.8.3 included additional measures to counter this attack.

Quote:Where do the values of the $mybb variable come from?
$mybb->user is set by the engine and can be used as a trusted source.

suiluj

2016-04-16, 03:08 PM
ah thank you very much Devilshakerz! Smile

thanks for the hint to the standard is_member(...) function. i did not know it and i will probably change my code to use this function in the future.

But just to be sure: Is my current configuration/function (without the is_member(...) ) already secure?

I use php 5.5
Where do i have to check if register_globals is turned off? Do i have to check my .htaccess or phpinfo() response?

Thanks for your experienced help.

Devilshakerz

2016-04-16, 03:35 PM
(2016-04-16, 03:08 PM)suiluj Wrote: [ -> ]But just to be sure: Is my current configuration/function (without the is_member(...) ) already secure?
The method itself appears to be fine.

Quote:I use php 5.5
Where do i have to check if register_globals is turned off? Do i have to check my .htaccess or phpinfo() response?
You don't have to worry about it then - it was removed as of PHP 5.4.

suiluj

2016-04-16, 04:02 PM
ah great thanks again for answering all my questions. Smile
MyBB Community Forums > 1.8 Support > Security Management and Support > Is my usergroup check secure?