[Duplicate] Input manipulation causing Full Path Disclosure (ACP-wide)
#1
While the front-end seems to be pulling the user input using $mybb->get_input() which converts it to the expected types, it is not being done in the ACP and simple input type manipulation (e.g. submitting arrays instead of string values) allows to trigger PHP errors related to provided values' types and functions they have been passed to.

Code sample:
https://github.com/mybb/mybb/blob/featur...ng.php#L25

This issue refers to a vast majority of POST forms as well as mechanisms relying on GET parameters present in the ACP.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#2
Yeah, the ACP is a bit of a mess. We need to find the time to go through and fix it up.
Reply
#3
Marking as duplicate. There are already several issues, a PR and some things have been fixed already.
Support PMs will be ignored!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)