MyBB Community Forums
[Duplicate] Input manipulation causing Full Path Disclosure (ACP-wide) - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Development (https://community.mybb.com/forum-161.html)
+--- Forum: MyBB 1.8 Development (https://community.mybb.com/forum-165.html)
+---- Forum: 1.8 Bugs and Issues (https://community.mybb.com/forum-157.html)
+----- Forum: Rejected (https://community.mybb.com/forum-184.html)
+----- Thread: [Duplicate] Input manipulation causing Full Path Disclosure (ACP-wide) (/thread-168997.html)



Input manipulation causing Full Path Disclosure (ACP-wide) - Devilshakerz - 2015-03-28

While the front-end seems to be pulling the user input using $mybb->get_input() which converts it to the expected types, it is not being done in the ACP and simple input type manipulation (e.g. submitting arrays instead of string values) allows to trigger PHP errors related to provided values' types and functions they have been passed to.

Code sample:
https://github.com/mybb/mybb/blob/feature/admin/modules/config/banning.php#L25

This issue refers to a vast majority of POST forms as well as mechanisms relying on GET parameters present in the ACP.


RE: Input manipulation causing Full Path Disclosure (ACP-wide) - Euan T - 2015-03-28

Yeah, the ACP is a bit of a mess. We need to find the time to go through and fix it up.


RE: Input manipulation causing Full Path Disclosure (ACP-wide) - Jones H - 2015-06-27

Marking as duplicate. There are already several issues, a PR and some things have been fixed already.