MyBB Community Forums Extensions Plugins Plugin Development v
Myshoutbox 1.7 security problem csrf

Threaded Mode
Myshoutbox 1.7 security problem csrf
emiak Offline
Posts: 12
Threads: 2
Joined: Sep 2011
Reputation: 0
#1
2012-03-13, 12:17 PM (This post was last modified: 2012-03-14, 01:32 AM by emiak.)
Hello some one can help me to secure this plugins because it s a very good plugins but they are some probleme about the security.

for the csrf i know we need to use token

inc/plugins/tpl_sf_shoutbox.txt
find :
Quote:<td class="trow2" align="center"><form onSubmit="ShoutBox.postShout(); $('shout_data').value = ''; return false;">{$lang->sf_sb_shout} <input type="text" id="shout_data" size="50" /> - <input type="submit" value="{$lang->sf_sb_shoutnow}" id="shouting-status" /></form></td>

replace by :
Quote:<td class="trow2" align="center"><form onSubmit="ShoutBox.postShout(); $('shout_data').value = ''; return false;">{$lang->sf_sb_shout} <input type="hidden" id="shout_key" value="{$mybb->post_code}" /><input type="text" id="shout_data" size="50" /> - <input type="submit" value="{$lang->sf_sb_shoutnow}" id="shouting-status" /></form></td>

jscripts/shoutbox.js
find :
Quote:message = $("shout_data").value;

and put this line after :
Quote:key = $("shout_key").value;

find :
Quote:postData = "shout_data="+encodeURIComponent(message).replace(/+/g, "%2B");

replace by :
Quote:postData = "shout_data="+encodeURIComponent(message).replace(/+/g, "%2B")+"&shout_key="+key;

inc/plugins/spicefuse_shoutbox.php
find :
Quote:if ($mybb->user['usergroup'] == 1 OR $mybb->user['uid'] < 1 OR !sb_can_view()) {
die("failed!");
}

and put this line after :
Quote:verify_post_check($mybb->input['shout_key']);

after that desactive/réactive the plugin shoutbox and it s good.


but this correction is for spicefuse shoutbox how i can adapte it for myshoutbox 1.7
because for the last step :


inc/plugins/spicefuse_shoutbox.php
find :
Quote:if ($mybb->user['usergroup'] == 1 OR $mybb->user['uid'] < 1 OR !sb_can_view()) {
die("failed!");
}

i cant find this line on the myshoutbox 1.7 plugins



sorry for my bad english

help me thanks in advance
Find
Reply
emiak Offline
Posts: 12
Threads: 2
Joined: Sep 2011
Reputation: 0
#2
2012-03-18, 07:59 AM
no one can help me ????
Find
Reply
Diogo Parrinha Offline

Former Staff
Posts: 6,835
Threads: 303
Joined: Jun 2007
Reputation: 94
#3
2012-03-19, 10:18 AM
Those instructions are for the spicefuse shoutbox and not MyShoutbox thus they may not apply correctly.
There is a CRSF vulnerability for sure which I always forget to fix when I've got some free time. It isn't a big deal though, it won't damage your forum.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
Website Find
Reply
emiak Offline
Posts: 12
Threads: 2
Joined: Sep 2011
Reputation: 0
#4
2012-03-25, 01:27 AM
thanks for your reply
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)