1.8.x

MySubscriptions 2.0.1 [Latest]

Submitted by Bitdefender, 07-06-2016, 02:37 PM, Thread ID: 21596

Thread Closed

07-06-2016, 02:37 PM

This post was last modified: 17-12-2018, 01:50 AM by Bitdefender

Code:
Description
 MySubscriptions allows board administrators to setup PayPal subscriptions on their MyBB forum.
 
 Features:
 Supports PayPal and CoinPayments.
 Multiple subscription plans.
 Option to create a plan which adds a usergroup to users's additional groups list when subscribing (instead of changing the primary group) - this allows a user to have multiple subscriptions on the site.
 Subscriptions logs (subscription creation, subscription cancellation, subscription expiration).
 Automatically removes someone from a usergroup they have subscribed once the subscription has expired.
 You can choose one-off payments instead of recurring subscriptions (which are only available for PayPal).
 Recurring payments stats page on the Admin CP which shows a list of subscribers to recurring subscriptions in a certain period of time (this only affects subscriptions made after v1.3) plus total subscribers for each plan and total income.
 One-off payments stats page on the Admin CP which shows a list of subscribers to one-off subscriptions in a certain period of time (this only affects subscriptions made after v1.3) plus total subscribers for each plan and total income.
 It is possible to set, for each plan, which usergroups can see it and therefore subscribe to it.
 Each plan can have a custom PM.

Download:

Content locked

This content has been locked. Please login or register in order to unlock it.

JumpingJack

09-06-2016, 09:28 PM

This too suffers from same old SQL injection + Blind Sqli vulnerability @

PHP Code:
case 'do_addsubscription':
if ($mybb->input['title'] == '' || $mybb->input['description'] == '' || intval($mybb->input['group']) <= 0)
{
mysubscriptions_messageredirect($lang->mysubscriptions_missing_field, 1);
}

$title = $db->escape_string($mybb->input['title']);
$description = $db->escape_string($mybb->input['description']); 

Input field without annotaion is possible about True, False SQL Injection. Normal Web Firewalls filter #, --, /**/, so the method is more effective in the Web Firewalls.

People using this plugin on forum are likely to be hacked or defaced by attacker if they santize header and upload shell. Apart from Sqli.

I had previously informed plugin author about this but he seem to be lazy and never checks his mail . And i dont got time to register his kiddo forum

11-06-2016, 07:49 AM

Wow, today found one more vulnerability in payment gateway php. It's LFI bug , i wont disclose code because its very even for a noob to upload shell via this bug-vulnerability Smile

and i wont disclose this bug to author ,as he is careless and unprofessional php developer .

12-06-2016, 01:34 PM

09-06-2016, 09:28 PM
bingo Wrote: This too suffers from same old SQL injection + Blind Sqli vulnerability @

PHP Code:
case 'do_addsubscription': if ($mybb->input['title'] == '' || $mybb->input['description'] == '' || intval($mybb->input['group']) <= 0) { mysubscriptions_messageredirect($lang->mysubscriptions_missing_field, 1); } $title = $db->escape_string($mybb->input['title']); $description = $db->escape_string($mybb->input['description']);
Input field without annotaion is possible about True, False SQL Injection. Normal Web Firewalls filter #, --, /**/, so the method is more effective in the Web Firewalls.

People using this plugin on forum are likely to be hacked or defaced by attacker if they santize header and upload shell. Apart from Sqli.

I had previously informed plugin author about this but he seem to be lazy and never checks his mail . And i dont got time to register his kiddo forum

How would you patch that? I'd like to protect my forum and I have this plugin running. Also what problem is there in the gateway? I'd like to fix that too for my users otherwise they steal from me!

12-06-2016, 01:36 PM

12-06-2016, 01:34 PM
DP_PN Wrote:
09-06-2016, 09:28 PM
bingo Wrote: This too suffers from same old SQL injection + Blind Sqli vulnerability @

PHP Code:
case 'do_addsubscription': if ($mybb->input['title'] == '' || $mybb->input['description'] == '' || intval($mybb->input['group']) <= 0) { mysubscriptions_messageredirect($lang->mysubscriptions_missing_field, 1); } $title = $db->escape_string($mybb->input['title']); $description = $db->escape_string($mybb->input['description']);
Input field without annotaion is possible about True, False SQL Injection. Normal Web Firewalls filter #, --, /**/, so the method is more effective in the Web Firewalls.

People using this plugin on forum are likely to be hacked or defaced by attacker if they santize header and upload shell. Apart from Sqli.

I had previously informed plugin author about this but he seem to be lazy and never checks his mail . And i dont got time to register his kiddo forum

How would you patch that? I'd like to protect my forum and I have this plugin running. Also what problem is there in the gateway? I'd like to fix that too for my users otherwise they steal from me!

You can always use the type of setup NulledBB has.

My Resources

~ fdigl ~

12-06-2016, 01:47 PM

But I looked at the file and I don't see any vulns. The code he quoted seems OK to me. The dev escapes all the input. And I can't find any LFI vulnerabilities in the IPN handlers either. The only file included is inc/init.php and it takes no input at all in the require/include line so I don't understand....are we safe or not? Would be good if bingo culd actually explain isntead of saying it's not secur.

bingo

12-06-2016, 03:20 PM

This post was last modified: 12-06-2016, 03:24 PM by bingo

@ DP_PN if you tested and its safe thenn you or anybody is free to use this plugin, i got no obligations.

As for LFI i cant detail because many forum will get jacked if i provide poc, but juts telling you it's "traversal sequences method"

if i was you then i would have not used this plugin, not atol. + author is very lazy to respond or to fix sqli so no point informing him new vulnerabilities , dunno

EDIT: dp_pn there is no bug in payment gateway itself, its a bug(vul) in the php code in plugin. dont worry no one can steal your money Smile

12-06-2016, 07:59 PM

I checked your all your posts and they make no sense at all...everytime you say there's a vulnerability, I can't seem to find it...you say "there's SQLi" but all the input is escaped properly. You say there's 'LFI' but you don't provide proof and no files are even included...

But you say in your intro thread you are 14 years old so I understand you don't seem to know what you tlakin about. If you do, you should maybe contact the owner on his website via PM or smth. Maybe we get new version soon.

bingo

13-06-2016, 03:57 AM

12-06-2016, 07:59 PM
DP_PN Wrote: I checked your all your posts and they make no sense at all...everytime you say there's a vulnerability, I can't seem to find it...you say "there's SQLi" but all the input is escaped properly. You say there's 'LFI' but you don't provide proof and no files are even included...

But you say in your intro thread you are 14 years old so I understand you don't seem to know what you tlakin about. If you do, you should maybe contact the owner on his website via PM or smth. Maybe we get new version soon.

No one really knows if he is legit yet about what he's saying because of stuff like this. Just watch what your putting on your website really. Check the code yourself if you think it's safe then use it.

My Resources

~ fdigl ~

bingo