Just had the opportunity to rejigger the code again, instead of the above replacement:
In /scripts/changeprefs.inc.php Find:
Code
		header("Location: $curl");


Replace with:
Code
	if (substr($curl, 0, strlen("//". $_SERVER['SERVER_NAME'] ."/")) === "//". $_SERVER['SERVER_NAME'] ."/") {
		header("Location: $curl");
	} else {
		$html->not_right($ubbt_lang['POST_PROB']);
	}

This code change exists towards the bottom of the script file, then you can attempt to redirect on your own site as:
https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbcentral.com
-AND-
https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/
-AND-
https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=//www.ubbcentral.com@ubbdev.com

You can test this behavior here on UBBCentral by going to:
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com
-AND-
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/
-AND-
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=//www.ubbcentral.com@ubbdev.com

We'll need to touch base with the existing code to see what needs to be cleaned up further, but this should work to limit the URLs allowed to redirect with the changepreferences script.

Last edited by Gizmo; 12/04/2023 3:42 AM. Reason: Updated check per Phillip's suggestion
I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!