Oh, the stupidity

[ZiNgA BuRgA]

I find it highly amusing:
http://mybbrunway.com/forums/thread-mytips

Ignoring the fact that the second code given isn't even valid HTML, they don't seem to get it even if the problem is basically thrown at them in the face.

Oh well, most MyBB community members are stupid, there's nothing new about that.
But if you do see anyone use something like that on your forum, you can have a field day with XSS exploiting them (psst, I bet the OP has it installed on his forum, if you want to mess some thing up, gaining admin access to his forum might be fun - that might teach him to actually care about security issues reported to him and maybe think twice about not giving clueless people exploitable code).

[1master1]

seems to be he had gone off the limits of his mind thinking that he too can develop some copy paste mycodes. its better to have an idea about what the code do and how far it is necessary for us. i loled at the yumi's reply.

[MattR]

At least you tried to explain it. To be honest custom MyCodes aren't really something I ask about when people say they've been hacked but I guess I should, it's never really crossed my mind. With this you could write something to read a cookie (mybbuser to get loginkey, adminsid to get admin session), redirect to a file on your server that stores that, and then redirect back to the original thread so nobody'd realise. Or execute a MyBB action as the post key is stored in a javascript variable. Or redirect to porn, or some other dodgy site. Or kill your CPU. Even worse that it uses onmouseover, you don't even need to click the link.

[ZiNgA BuRgA]

Most MyCodes don't stick replacements in Javascript, which isn't too bad.

Most MyCodes I've seen, however, are vulnerable to some injection.  MyBB filters out most Javascript (it forgets some events such as onError, onKeyPress etc) and escapes < and > characters, so the worst is often avoided, but people really need to avoid using the (.*?) match.
I tried writing an Easy MyCodes plugin, but it doesn't seem to have attracted much attention.

If MyBB still doesn't filter " characters by the time custom MyCode is parsed, the example in the first post is even worse, as CSS can be injected, eg:

Code:

[tip]aba');" style="position: absolute; left: 0; top: 0; display: block; width: 100%; height: 10000%;" rel="[/tip]

---

[ZiNgA BuRgA]

Try it yourself.

[ZiNgA BuRgA]

Then what are you asking?

[MattR]

Seem's Yumi's gone mad and has started talking to himself

[1master1]

Yeah, MattR.
Well, yumi. As you said we need to avoid (.*?) match, this plugin contains this match and is it vulnerable?

http://community.mybb.com/thread-66696.html

[ZiNgA BuRgA]

(10-24-2010 07:03 AM)MattR Wrote:  Seem's Yumi's gone mad and has started talking to himself

The fun of deleting messages - you can make the other person seem weird.
I'm guessing Imran has some connection with Shahaab and doesn't want others to be aware of it.

(10-24-2010 08:34 AM)1master1 Wrote:  this plugin contains this match and is it vulnerable?

http://community.mybb.com/thread-66696.html

Probably.

Code:

[img]http://example.com/invalid_image.gif" onerror="alert('hi');[/img]

---

[Harry]

(10-24-2010 10:20 AM)ZiNgA BuRgA Wrote:  

(10-24-2010 07:03 AM)MattR Wrote:  Seem's Yumi's gone mad and has started talking to himself

The fun of deleting messages - you can make the other person seem weird.
I'm guessing Imran has some connection with Shahaab and doesn't want others to be aware of it.

(10-24-2010 08:34 AM)1master1 Wrote:  this plugin contains this match and is it vulnerable?

http://community.mybb.com/thread-66696.html

Probably.

Code:

[img]http://example.com/invalid_image.gif" onerror="alert('hi');[/img]

---

Ummm.. I thought these plugins etc were supposed to be checked for this sort of thing before they get added? In either case that thread should be closed/locked and deleted till the issue is fixed with that plugin.