Thread Rating:
  • 2 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[MyBB Plugin] Board Announcements Manager (For 1.6 and 1.8)
#16
Thank you! Let me know if you find any glitches or weird issues. Or if there are any other features or tags that you can think of.
[Image: makestation_submatrix31_5.png]
Together, we can make something awesome...
Reply }
Thanks given by:
#17
Nice input sanitation.
Was trying to figure out why using HTML encoded payloads wasn't working in event handlers or as src="javascript:" wasn't working, then rage-clicking "Edit as HTML" led me to find &zwnj being injected in both javascript and event handlers. LOL
Dunno if you added that or if it's a MyBB feature by default, but pretty good antiXSS lmao
Reply }
Thanks given by: Guardian , Darth-Apple
#18
Haha, you made my day by NOT reporting that as a bug. People used to complain that it wouldn’t let JavaScript be posted in announcements. Finna I went out of my way to make sure it didn’t. Incidentally, the MyBB ACP is full of security holes (I’ve seen several SQL injections out in plain code), but it’s the ACP. If someone can access the ACP, you’re already screwed.

If you absolutely need JavaScript, you have to explicitly declare a different template with the [@template:] tag, and then it just loads the raw template (which could have whatever you want in it) and runs with it. You can add templetes anyway from the ACP, so this is more of an advanced mode feature than it is a security issue. It’s there, for people who wanna do crazy things with it and who want to get a little more creative. Tongue

There was technically little reason to really sanitize anything from the ACP because any function that is loaded by the ACP at all kicks you out if you aren’t logged in as an admin. But I felt it was lazy to not sanitize anyway.
[Image: makestation_submatrix31_5.png]
Together, we can make something awesome...
Reply }
Thanks given by: Lain , Guardian
#19
I just finished a full on round of as much penetration testing as possible. Tried throwing script, onchanges, onclicks, rogue characters, whatever I could think of. Did it in the class fields, in the ACP, in the announcement, in the usergroup fields, and anywhere else that I could possibly think of. Things that take numeric values even, things that aren't even the announcement.

It even sanitizes the username if a user's username is javascript. MyBB doesn't even allow this, but if they found a way to change their username to javascript characters and tried to run it past the {username} tag, BAM won't even let this one past.

It passed with flying colors. This thing has full support for HTML for everything except javascript and rogue stuff. Finna
[Image: makestation_submatrix31_5.png]
Together, we can make something awesome...
Reply }
Thanks given by:
#20
The original BAM, before it was even BAM: It's come a long way... Finna

[Image: 4qeRm.png]
[Image: makestation_submatrix31_5.png]
Together, we can make something awesome...
Reply }
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
  MyBB Post Activity Plugin Guardian 4 262 December 28th, 2019 at 8:06 PM
Last Post: Guardian
  [MyBB Plugin] Latest Visitors on Profiles (for 1.8) Darth-Apple 9 12,363 November 27th, 2014 at 3:28 PM
Last Post: Harry K.
  A proper MyBB Status/Profile Updates Plugin? Darth-Apple 6 8,783 August 2nd, 2014 at 8:02 PM
Last Post: CapTon
  Is there really any demand for a social groups plugin for MyBB? Darth-Apple 0 2,481 April 16th, 2014 at 8:53 PM
Last Post: Darth-Apple



Users browsing this thread: 1 Guest(s)

Contact Us | Makestation | Return to Top | Lite (Archive) Mode | RSS Syndication 
Proudly powered by MyBB 1.8, © 2002-2020 MyBB Group.
Design/theme made in house. © 2014, 2020 by Makestaton. Header background image credit
All rights reserved.
Also see Forumonic.com (a Harry-K community) and Zalost's Gridzone