Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

BB Code security patch

Two security flaws have recently been discovered in the bb code parsing by two of our users. Grindordie found that a user could virtually deface areas of the site that utilise the [color] tags. While this does not cause any harm it can be rather annoying. EasyEx's discovery is quite a troublesome one, an attacker can potentially delete items from your site using the [img] tags without anyone knowing. As usual I have produced the required fixes. The Sourceforge files have been updated, existing users can download the new maincore.php file from the downloads area. Updated I've refined the code and updated the files. If you prefer to update the code yourself click Read More for instructions.

Update 2 The original [img] bb code fix does not quite cure the problem, we have now come up with a better solution. The sourceforge and update files have been updated. Click read more to see the new code.

Edit maincore.php and replace the following lines located under function parseubb($message) {

Replace $ubbs1[10] and $ubbs2[10]:

$ubbs1[10] = '#\[img\](.*?)\[/img\]#si';

$ubbs2[10] = '';

With: (Updated 06/08/2005)

$ubbs1[10] = "#\[img\]((http|ftp|https|ftps)://)(.*?)(\.(jpg|jpeg|gif|png|JPG|JPEG|GIF|PNG))\[/img\]#sie";

$ubbs2[10] = "''";

Replace $ubbs1[12] and $ubbs2[12]:

$ubbs1[12] = '#\[color=(.*?)\](.*?)\[/color\]#si';

$ubbs2[12] = '\2';

With:

$ubbs1[12] = '#\[color=(black|blue|brown|cyan|gray|green|lime|maroon|navy|olive|orange|purple|red|silver|violet|white|yellow)\](.*?)\[/color\]#si';

$ubbs2[12] = '\2';

Falk August 05 2005 15,076

News Categories