phpBBModders.net

MOD title: BBChat
MOD description: This mod will add an AJAX based chat into your forum.
MOD version: 1.1.1
phpBB version: phpBB 3.0.x

MOD Format: MODX

MOD download: http://www.phpbb3hacks.com/viewtopic.php?f=51&p=629

Screenshot: [url=http://forum.football4fun.eu/mods/bbchat_1_1_0.png]prosilver[/url]

I'll have to look into this and see if it is as easily broken as Handyman's AJAX chat.

To start, I will say this.

I don't see this MOD being validated at all in the current state.

The code is a mess. There is no feasible attempt at proper indentation, the header comments for the files added are non-existent, and I can see numerous errors waiting to be thrown in debug mode.

Simply put, the code is a mess.

From the moment I opened up the first file, I could see issues waiting to happen. The installer file is DBMS specific (which we have an article on the site for how to do this properly [url=http://phpbbmodders.net/articles/3.0/dbal/]here[/url]), and there are portions of code in the installer that could cause issues with the board on install (such as module insertion -- modules are dynamic and need to be treated for such). I don't understand why EAMI wasn't used for the automatic module insertion, it's an easy tool to use.

There are issues with strings not being used within quotes, something that would cause warnings as PHP4 now recognizes those strings as constants.

The strings for trigger_error() calls are hardcoded. This is unacceptable as per the coding guidelines, which are available [url=http://area51.phpbb.com/docs/coding-guidelines.html]here[/url]. I recommend that every MOD author read through them for the proper way to code for phpBB.

Also, several other users examined the code and saw that the DBAL is not being properly used. After running an SQL query that returns results, you should use dbal::sql_freeresult() to removed the cached results from the DBAL. Take a look at [url=http://wiki.phpbb.com/Dbal#sql_freeresult]this[/url].

Also, several of us spotted a very, very large issue. There is an SQL injection vulnerability in chat_show.php, which could allow a user to exploit the MOD to malicious ends. Very simply, a user could destroy your entire database and ruin your site at will if this MOD was installed. For a way to fix this vulnerability, I recommend taking a look at [url=http://wiki.phpbb.com/Dbal#sql_escape]this bit[/url] of the phpBB wiki.



Due to the dangerous nature of this SQL injection vulnerability, I have removed the download link from this topic and locked it until the vulnerability is resolved.

7raul, if you would like the details regarding the vulnerability or you have fixed it, please send me a private message regarding this MOD.

Topic unlocked as the latest version has the injection vulnerability that was identified earlier fixed.