Mod Name / Version: Input validation mod (Security fix) 1.1.1
Description: You all probably noticed that several vulnerabilities have been found in ubb.threads over the last months/weeks. Some of them have been fixed by Infopop, but that's only the tip of the iceberg.
There's no proper input validation in ubb.threads, which makes the door wide open for sql injections. Additionally, the output of ubb.threads isn't escaped properly also. This can be used by "hackers" to start XSS (cross site scripting attacks).
Both types of attacks can used to compromise your boards. Either to damage it or to gain unauthorized access.
During a security audit of ubb.threads, I found more than 10 vulnerabilities.
Infopop is aware of this problem and will "take care" of it in the next release. As this will take at least "some weeks", I created a modification that will prevent most of this attacks.
Note that all current installations of ubb.threads are vulnerable at the moment and that some exploits have already been published to security mailing lists (last one yesterday).
If the modification detects a possible attack an error message is displayed and the attack is logged to a logfile.
Working Under: UBB.Threads 6.3-6.4-6.5
Mod Status: Finished
Any pre-requisites:
Author(s): Astaran
Date: 04/20/05
Credits:
Files Altered: ubbt.inc.php
New Files: Validate.php
Database Altered: no
Info/Instructions: Note that there are three versions of this modification (depending on the ubb.threads version you're using).
Just follow the instructions in instructions.txt.
More experienced users can enhance this class to also validate variables that are used in installed hacks/modifications. See the readme.txt for details.
Disclaimer: Please backup every file that you intend to modify.
If the modification modifies the database, it's a good idea to backup your database before doing so.
Note: If you modify your UBB.Threads code, you may be giving up your right for "official" support from Infopop.If you need official support, you'll need to restore unmodified files.
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.