Is this code malicious?

[srh124]

Hi all
I've found following code in forumdisplay.php (MyBB 1.6.10). Is it malicious? a backdoor or so...

// Needs to be initialized in order to speed-up things. Fixes #2031
$orderarrow = array('rating'=>'', 'subject'=>'', 'starter'=>'', 'replies'=>'', 'views'=>''); 
eval("\$orderarrow['$sortby'] = \"".$templates->get("forumdisplay_orderarrow")."\";");

[Darth Apple]

Why would it be? For example, if you have the following code, PHP will parse $variable as its actual value.

$variable = "test";
echo "this is variable's value: {$variable}";

MyBB uses eval to "execute" templates so that the variables get replaced with their values. There is nothing insecure about the code you have posted.

[srh124]

Thanks
I have a wordpress plugin which recognizes that code as suspicious.

Thanks again for your help

[frostschutz]

This user has been denied support.

The code is suspicious. It would be malicious if $sortby, which is originally untrustworthy user input, were not cleaned properly. That's the case though (although not obviously so). So not a problem, hopefully.

The code could be improved if this were implemented: https://github.com/firestryke31/mybb/com...03f341cf0a (although there's an error in this particular line of the suggested commit)


Edit: In case the wordpress plugin (which one?) warned because it has eval(), which is evil - well, MyBB uses that for all its templates everywhere. It's only malicious if someone managed to put malicious code in your templates.