/** * MyBB 1.2 SQL Injection Vulnerability fix * * This is a temporary patch for MyBB 1.2 boards * to protect against an SQL injection vulnerability * before they are ready to upgrade to 1.2.1 * * This patch file also adds additional protection * against users attempting to perform XSS attacks * with register_globals on and variable overriding * */ ------------------- 1. inc/class_core.php ------------------- Find: -- // Set up MyBB -- UNDER it add: -- $protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES", "_SERVER", "_ENV", "GLOBALS"); foreach($protected as $var) { if($_REQUEST[$var] || $_FILES[$var] || $_COOKIE[$var]) { die("Hacking attempt"); } } -- ------------------- 1. inc/datahandlers/user.php ------------------- Find: -- if($this->method == "insert" || (array_key_exists('showcodebuttons', $options) && $options['showcodebuttons'] != 0)) -- Replace with: -- if($this->method == "insert" || (array_key_exists('showcodebuttons', $options) && $options['showcodebuttons'] != '0')) -- ALL DONE.