Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
MultiBB for MyBB
#11
I am interested in an alternative to BMR777's script since I currently run a small MyBB forum host. Smile

(02-28-2010, 11:24 PM)frostschutz Wrote: MyBB isn't intended to be multi hosted this way, if you do it anyways, expect to be hacked by anyone who signs up and executes arbitrary PHP code via the Admin CP Template system.
Now this made me laugh. Big Grin
-Joe
AFreeCloud - Free Cloud-Based Web Hosting!
Reply
#12
$tpl = strtr($tpl, array('{' => '\\{', '$' => '\\$', '}' => '\\}'));
$tpl = preg_replace('~\\\\\\{\\\\\\$([a-z0-9_]+)((\\[['"][a-z0-9_]+['"]\\])*)\\\\\\}~e',
'fix_thing(\'$1\', \'$2\')', $tpl);

function fix_thing($n, $s) {
  return '{$'.$n.str_replace('\\"', '"', $s).'}';
}
Haven't tried, but I guess something like that should do, assuming you quote this post so that it doesn't get stuffed up by the MyBB parser.

BTW, whilst I'm here, I suggest MyBB make a change similar to this.
Executing PHP in templates is an exploit. Admins are trusted to administrate your board, not execute arbitrary code. It's the same concept behind why there's a separation between moderators and administrators - both are trusted, however the former is not trusted to administrate the board.
Also, this certainly isn't a feature. If it's needed, there's a plugin which can explicitly enable this.

Whether this is going to be blatantly stated as not being an exploit is MyBB staffs' decision, however I strongly suggest making clear to end users that allowing anyone to edit templates explicitly allows execution of arbitrary code if this isn't going to be changed, as I don't think this is obvious to the average user.
Also, it would be nice if threads like these aren't simply closed like that. The last time I checked, forums were meant for discussion, not meant for stifling discussion. Unless you are very very certain that your decision is the wisest and that further discussion will absolutely not be helpful, I would consider not jumping the gun at closing topics.
Reply
#13
Thanks for the replies - I'm not too familiar with MyBB, so obviously it would not be implemented in an upcoming version of MultiBB. I've done a ton of research and put into place many measures which ensure server safety for the phpBB version, I'm sure the same could be done for MyBB.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)