hello .. i use the plugin named "
A CLEAR NEWS BAR"
https://mods.mybb.com/view/a-clear-news-bar
it dosn't work with mybb 1.8.18, so i made some modification (i am not specialist in php)...now it work perfectly...but i dont know if its safe for my forum or it vulnerable.
here is the modified code :
<?php
if(!defined("IN_MYBB"))
{
die("Direct initialization of this file is not allowed.<br /><br />Please make sure IN_MYBB is defined.");
}
$plugins->add_hook('pre_output_page','aclearnewsbar');
function aclearnewsbar_info()
{
return array
(
"name"=>"A clear news bar",
"description"=>"Shows a clear bar with latest news from your portal page.",
"website"=>"http://www.ajdija.com",
"author"=>"Mateusz Grzesiukiewicz",
"authorsite"=> "http://www.ajdija.com",
"version"=>"1.0",
"guid"=>"7dc27e3041bfe6e412f1a9b2f7634db2",
"compatibility"=>"18*"
);
}
function aclearnewsbar($page)
{
global $mybb,$theme, $db;
$announcements = '';
$query = $db->query("
SELECT t.*, t.username AS threadusername, tp.prefix AS THREADPREFIX, tp.displaystyle AS D_STYLE
FROM ".TABLE_PREFIX."threads t
LEFT JOIN " .TABLE_PREFIX. "threadprefixes tp ON (t.prefix = tp.pid)
WHERE t.visible='1' AND t.closed NOT LIKE 'moved|%'
ORDER BY t.dateline DESC
LIMIT 0,10 "
);
$news = '';
while($announcement = $db->fetch_array($query))
{
$announcement['threadlink'] = get_thread_link($announcement['tid']);
$announcement['subject'] = htmlspecialchars_uni($announcement['subject']);
$announcement['threadusername'] = htmlspecialchars_uni($announcement['threadusername']);
$announcement['threadprefix'] = htmlspecialchars_uni($announcement['THREADPREFIX']);
//$announcement['D_STYLE'] = htmlspecialchars_uni($announcement['D_STYLE']);
$news = $news.' '.$announcement['D_STYLE'].' '.'<strong><a href="'.htmlspecialchars_uni($announcement['threadlink']).'">'.htmlspecialchars_uni($announcement['subject']).'</a> </strong>['.htmlspecialchars_uni($announcement['threadusername']).'] <i class="fa fa-quote-left" aria-hidden="true"></i>
';
}
$page=preg_replace('#<div class="navigation">(.*)</div>#Usi','<div class="navigation">$1</div><br />
<table border="0" cellspacing="'.$theme["borderwidth"].'" cellpadding="'.$theme["tablespace"].'" class="tborder" style="border-radius: 6px 6px 0 0;">
<thead>
<tr>
<td class="thead" width="100" align="center" style="color: aquamarine; border-radius: 0 6px 0 0"><strong>آخر '.
/* Use below code and set ^^(width) higher if you want board name to be said:
$mybb->settings['bbname']
*/
'المواضيع : </strong></td><td class="thead" style="color: aqua;border-radius: 6px 0 0 0;text-shadow:none;"><marquee direction="right" scrollamount="6" onmouseover="this.stop();" onmouseout="this.start();">'.$news.'</marquee></td>
</tr>
</thead>
</table>',$page);
return $page;
}
?>
my forum here : sciences.unaux.com
I tend to believe that plugins and mods hosting by MyBB.com are as safe as possible. They are normally approved by the staff after evaluation.
(2018-09-07, 08:57 AM)meetdilip Wrote: [ -> ]I tend to believe that plugins and mods hosting by MyBB.com are as safe as possible. They are normally approved by the staff after evaluation.
thank you ... but i mean if its safe after my modification ?
(2018-09-07, 09:47 AM)sandokhane Wrote: [ -> ] (2018-09-07, 08:57 AM)meetdilip Wrote: [ -> ]I tend to believe that plugins and mods hosting by MyBB.com are as safe as possible. They are normally approved by the staff after evaluation.
thank you ... but i mean if its safe after my modification ?
It's hard to tell.
You can contact my admin, 0xB9
HERE and ask his assistance in checking it for vulnerabilities.
(2018-09-07, 08:57 AM)meetdilip Wrote: [ -> ]I tend to believe that plugins and mods hosting by MyBB.com are as safe as possible. They are normally approved by the staff after evaluation.
This is
false. Users can now upload plugins to MyBB at their own will. The author can can staff to review the plugin but this does not mean it's "safe".
As for the code above, it looks fine in terms of it being exploitable. Unsure why you've used htmlspecialchars_uni numerous times though. For example:
$announcement['subject'] = htmlspecialchars_uni($announcement['subject']);
Why not then use
$announcement['subject'] in the a href link? Would make much more sense to me IMO.
(2018-09-07, 01:42 PM)Wires Wrote: [ -> ]Why not then use $announcement['subject'] in the a href link? Would make much more sense to me IMO.
really i dont know ..but it's from original plugin author.
i will try to correct this...
but i need more details about the security of this plugin.
thank you.
OK here my updated code (+with relative date) ..work perfect..but always i dont know if it's safe or not
<?php
/*
A clear news bar plugin for MyBB
* v. 1.0
* Last edit: 5 August 2010
* Shows a clear news bar on your forum pages.
* Copyright (C) 2009 & 2010 Mateusz Grzesiukiewicz also known as Ajdija
* Website: http://www.ajdija.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
if(!defined("IN_MYBB"))
{
die("Direct initialization of this file is not allowed.<br /><br />Please make sure IN_MYBB is defined.");
}
$plugins->add_hook('pre_output_page','aclearnewsbar');
function aclearnewsbar_info()
{
return array
(
"name"=>"A clear news bar",
"description"=>"Shows a clear bar with latest news from your portal page.",
"website"=>"http://www.ajdija.com",
"author"=>"Mateusz Grzesiukiewicz",
"authorsite"=> "http://www.ajdija.com",
"version"=>"1.0",
"guid"=>"7dc27e3041bfe6e412f1a9b2f7634db2",
"compatibility"=>"18*"
);
}
function aclearnewsbar($page)
{
global $mybb,$theme, $db;
$announcements = '';
$query = $db->query("
SELECT t.tid,t.subject, t.username AS threadusername, t.dateline as date_p, tp.displaystyle AS D_STYLE
FROM ".TABLE_PREFIX."threads t
LEFT JOIN " .TABLE_PREFIX. "threadprefixes tp ON (t.prefix = tp.pid)
WHERE t.visible='1' AND t.closed NOT LIKE 'moved|%'
ORDER BY t.dateline DESC
LIMIT 0,10 " // number of latest threads
);
$news = '';
function getTheDay($date)
{
date_default_timezone_set('Europe/Paris'); // !important set timezone
$curr_date=date("Y-m-d"); // format the date (to remove hours and minutes and secondes)
$curr_date=strtotime($curr_date); // date to integer
if (date('I', time())) // test dst
{
// echo "We are in DST!";
$curr_date=$curr_date - 3600; // correct the DST using local time
$curr_date=date("Y-m-d"); // integer to date again
$curr_date=strtotime($curr_date); //date to integer again (to remove hours and minutes and secondes)
}
$the_date=$date-3600; //mybb use DST by default.
$the_date=date("Y-m-d",$the_date); // integer to date (to remove hours and minutes and secondes)
$the_date=strtotime($the_date); //date to integer again
$diff=$curr_date-$the_date;
$diff =$diff/86400; // 1 day= 86400 sec
switch($diff)
{
case 0:
return 'Today';
break;
case 1:
return "Yesterday";
break;
case 2:
return "two days ago";
break;
default:
return date("Y-m-d",$the_date);
}
}
while($announcement = $db->fetch_array($query))
{
$announcement['threadlink'] = get_thread_link($announcement['tid']);
//$announcement['subject'] = htmlspecialchars_uni($announcement['subject']);
//$announcement['threadusername'] = htmlspecialchars_uni($announcement['threadusername']);
$announcement['date_p']=getTheDay($announcement['date_p']);
$news = $news.' <span style="background: white;color:black;height: 16px;line-height: 16px;padding: 0px 5px;font-size: 9px;font-weight: bold;border-radius: 4px;vertical-align: middle;
">'.$announcement['date_p'].'</span> '.$announcement['D_STYLE'].' '.'<strong><a href="'.$announcement['threadlink'].'">'.$announcement['subject'].'</a> </strong>['.$announcement['threadusername'].'] <i class="fa fa-quote-left" aria-hidden="true"></i>
';
}
$page=preg_replace('#<div class="navigation">(.*)</div>#Usi','<div class="navigation">$1</div><br />
<table border="0" cellspacing="'.$theme["borderwidth"].'" cellpadding="'.$theme["tablespace"].'" class="tborder" style="border-radius: 6px 6px 0 0;">
<thead>
<tr>
<td class="thead" width="100" align="center" style="color: aquamarine; border-radius: 0 6px 0 0"><strong>Last '.
/* Use below code and set ^^(width) higher if you want board name to be said:
$mybb->settings['bbname']
*/
'threads : </strong></td><td class="thead" style="color: aqua;border-radius: 6px 0 0 0;text-shadow:none;"><marquee direction="right" scrollamount="6" onmouseover="this.stop();" onmouseout="this.start();">'.$news.'</marquee></td>
</tr>
</thead>
</table>',$page);
return $page;
}
?>
demo (my forum) :
http://sciences.unaux.com/
past2.org :
https://paste2.org/m01OahM3