MyBB Community Forums
[Pushed] XSS and $mybb->input in Templates - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Development (https://community.mybb.com/forum-161.html)
+--- Forum: MyBB 1.8 Development (https://community.mybb.com/forum-165.html)
+---- Forum: 1.8 Bugs and Issues (https://community.mybb.com/forum-157.html)
+----- Forum: Pushed (https://community.mybb.com/forum-183.html)
+----- Thread: [Pushed] XSS and $mybb->input in Templates (/thread-216966.html)



XSS and $mybb->input in Templates - labrocca - 2018-04-14

I'd like to point out that MyBB templates should never use $mybb->input directly in the templates. This creates a situation where the data is not sanitized on the page. This opens up XSS where links to the page could insert malicious code including javascript to execute on the site including things like login popups which may mimic site login popup and then steal the credentials.

XSS is low-risk but still a risk and it's not the best practice to use unsanitized user input anywhere. But MyBB does this in a number of the default/master templates.

Most of the time the $mybb->input is used in case there is an error in form submission and the data remains in the form. That's convenient for the member but it's a risk as well. I suggest that MyBB does a template search and see which templates do this in order to decide if they want to sanitize the input or just remove the convenience.


Please review asap.


RE: XSS and $mybb->input in Templates - effone - 2018-04-14

29 instances throughout all the templates. Just for info ...


RE: XSS and $mybb->input in Templates - Omar G. - 2018-04-15

If I understand correctly, this should be fixed when updating the template system, won't it ? For current version, I would think all of that currently used are cleaned within the code before evaling the template.


RE: XSS and $mybb->input in Templates - Euan T - 2018-04-15

Yes, the move to Twig will solve this issue luckily, but if there are only 29 current cases, I'd say it's worthwhile double checking them to ensure they're all cleaned. I'll push this to GitHub to track that.


RE: XSS and $mybb->input in Templates - Euan T - 2018-04-15

Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/3124

Thanks for contributing to MyBB!

Regards,
The MyBB Group