Users have been crafting URLs using the curl redirect (Current URL sending traffic to the function) in UBB.threads, nothing is exploited on the site, but it's allowing them to forward requests on a page of your site to 3rd party destinations; until we get v8 out the door I'm sharing the patch with everyone now. Any 3rd party URLs with the below patch will be stopped by the system from redirecting them unless the redirected URL is from a local URL (on your site).
Update: See
this post for an update.
In /scripts/changeprefs.inc.php Find:
header("Location: $curl");
Replace with:
if (strpos($curl, $_SERVER['SERVER_NAME']) !== false) {
header("Location: $curl");
} else {
$html->not_right($ubbt_lang['POST_PROB']);
}
This code change exists towards the bottom of the script file, then you can attempt to redirect on your own site as:
https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbcentral.com
You can test this behavior here on UBBCentral by going to:
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com