Site in read-only mode

This site is now read-only following the release of MyBB 1.8 and the new mods site.

If you are looking for MyBB 1.8 mods please click here to visit the new mods site.

You can continue to download submissions for MyBB 1.6 and earlier here, however new submissions will only be accepted via the new mods site.

Plugin Uploader

Allows you to import .zip plugin archives directly and have the files extracted to their correct locations automatically.

Version: 1.1.2
Author: Matt
Submitted: 27th November 2010
Last Updated: 25th August 2014

Bugs, requests, feedback

Name: Plugin Uploader
Description: Allows you to import .zip plugin archives directly and have the files extracted to their correct locations automatically.
Author: MattRogowski
Version: 1.1.2
Compatibility: 1.6.x
Files: 4 (plus 1 optional core file edit)
Database changes: 1 new table, 1 new column to one table

This plugin will allow you to import a plugin .zip or .php file directly to the ACP and have the files moved to their correct locations.

For security, a password is required when uploading a plugin.

It will try and show you screenshots of the plugin if any have been provided.

If the plugin is from the MyBB Mods site, it will check that the version you are uploading is the latest version, and if it's not, will give you the download URL for the newer version.

Allows you to delete all the files for a plugin (if the plugin was uploaded with this plugin uploader).

Supports uploading an upgraded/newer version of a plugin, and supports renamed admin directories.

Offers not to upload non-PHP root files to save clutter.

It was reported recently that this plugin was 'vulnerable' with an exploit to upload shells. By the nature of what the plugin does, you are uploading files directly to your file system. Usually, you'd do this via FTP, which hopefully nobody would have access to, whereas this plugin allows you to upload via the Admin CP, which someone may gain unauthorized access to. Because of this, it is theoretically possible to upload malicious code. However, there are several things put in place to reduce the possibility of this.

- When you install the plugin, there is a big warning explaining this risk (see screenshot).
Preview Image 7175
- You are required to set a password for the Plugin Uploader. This will be asked for every time you upload a plugin (with the option to save it in a cookie). This means that if someone gains access to your admin account, they'll also need to know the Plugin Uploader password.
- By default, no admins who are not super admins will have access to it; you will have to give them access. So, either you would root your own site, or a trusted admin would, in which case, maybe you shouldn't trust them with this functionality.

I took the decision to go with the password method, because if there were any checks for malicious code, I would then be responsible if anything was missed, and as it would essentially be impossible to catch every single possible line of malicious code that may exist, and as there would be frequent false-positives as several functions that are often used maliciously also have legitimate uses (eval(), for example, is commonly used in shells but is also used to render MyBB's templates), it made more sense to just explain the risks and leave it up to you if you're happy to use it or not. If you have a good password for the Plugin Uploader, trust where you upload plugins from, and trust who you give access to it to, you should be fine.

To Install:
Upload ./inc/plugins/pluginuploader.php to ./inc/plugins/
Upload ./admin/modules/config/pluginuploader.php to ./admin/modules/config/
Upload ./inc/languages/english/admin/config_pluginuploader.lang.php to ./inc/languages/english/admin/
Create folder 'temp' in ./inc/plugins/ and CHMOD to 777.
Upload ./inc/plugins/temp/test.php to ./inc/plugins/temp/
Optional (but highly recommended) core file edit: Upload ./admin/modules/config/plugins.php to ./admin/modules/config/
Go to ACP > Plugins > Install and Activate
Go to ACP > Configuration > Plugins > Upload Plugin

Change Log:
27/11/10 - v0.1 -> Initial beta release.
02/12/10 - v0.1 -> v0.2 -> Fixed bug where you may have got a blank page or PHP error when installing the plugin. Fixed bug where the tab for the Plugin Uploader wouldn't show on the Sharepoint theme and some other ACP themes. Fixed bug where the plugins list would be broken if the plugin was deactivated. Fixed bug where you'd get a PHP error if the ZipArchive class is not available. Fixed bug where plugins could run on the page showing information about the plugin. Fixed bug where not all language files would be loaded for the page showing information about the plugin. Tweaked how list of files in the plugin package is collected and stored. Warning for deleting a plugin will now show which files will be deleted. To upgrade, reupload ./inc/plugins/pluginuploader.php, ./admin/modules/config/pluginuploader.php, ./inc/languages/english/admin/config_pluginuploader.lang.php, and (optional core file edit) ./admin/modules/config/plugins.php
09/12/10 - v0.2 -> v0.3 -> Fixed bug were you'd get PHP errors on the plugins page if you have other plugins uploaded, but this is the first plugin you activated. Tweaked how it searches for the plugin file root. If the plugin is from the MyBB Mods site, it will now check the plugin version and tell you if it's out of date. Import page that shows information about the plugin will now try and find screenshots and display them as thumbnails on the information page. To upgrade, reupload ./inc/plugins/pluginuploader.php, ./admin/modules/config/pluginuploader.php, and ./inc/languages/english/admin/config_pluginuploader.lang.php
09/12/10 - v0.3 -> v0.3.1 -> Fixed bug were you'd get PHP errors if the plugin had external files as the file path was wrong. To upgrade, reupload ./inc/plugins/pluginuploader.php and ./admin/modules/config/pluginuploader.php
19/01/11 - v0.3.1 -> v0.4 -> Added a password check when uploading plugins. To upgrade, reupload ./inc/plugins/pluginuploader.php, ./admin/modules/config/pluginuploader.php, and ./inc/languages/english/admin/config_pluginuploader.lang.php. More information on this is available here:
19/01/11 - v0.4 -> v0.4.1 -> Fixed a bug where choosing to activate a plugin after importing would redirect back to the plugin uploader page. Fixed a bug where you'd get an error saying the password was wrong after choosing to import the plugin. To upgrade, reupload ./inc/plugins/pluginuploader.php and ./admin/modules/config/pluginuploader.php
07/02/11 - v0.4.1 -> v0.4.2 -> Fixed a bug where the custom plugin system class may be unavailable. Changed when the language files are temporarily uploaded in case the plugin file loads a language file outside of a function. To upgrade, reupload ./inc/plugins/pluginuploader.php and ./admin/modules/config/pluginuploader.php
14/06/11 - v0.4.2 -> v1.0 -> Added the ability to store a cookie for the plugin uploader password to save having to upload it every time you upload a plugin. Added the ability to totally disable the password check. Added support for renamed admin directories. Added support to upload a single PHP file. Fixed a bug caused by a PHP peculiarity that would mean the plugin file couldn't be found. Added a check for if files have been uploaded with an owner of nobody. Made major improvements to how files are copied/moved, including connection via FTP to move the files. More information on this can be found here: To upgrade, reupload ./inc/plugins/pluginuploader.php, ./admin/modules/config/pluginuploader.php, ./inc/languages/english/admin/config_pluginuploader.lang.php, and upload ./inc/plugins/temp/test.php to ./inc/plugins/temp/
03/12/11 - v1.0 -> v1.0.1 -> Made compatible with MyBB 1.6.5. To upgrade, reupload ./inc/plugins/pluginuploader.php
27/05/12 - v1.0.1 -> v1.1 -> Plugins can now be imported from the MyBB Mods Site or via a URL. FTP details are no longer stored in a file, but are encrypted in the database or a cookie instead. Method of moving files has been improved. Plugin imports are now logged to the admin log. Usage stats can now be sent. If a readme was included with the plugin it will be shown on the plugin information page when importing. Fixed a bug where the cookie storing the password may store the wrong one. Made it easier to clear the password cookie. To upgrade, reupload ./inc/plugins/pluginuploader.php, ./admin/modules/config/pluginuploader.php, ./inc/languages/english/admin/config_pluginuploader.lang.php and ./admin/modules/config/plugins.php (edited version of core file included with plugin).
27/05/12 - v1.1 -> v1.1.1 -> Fixed bug where loading a readme may cause an endless loop resulting in a PHP error. Fixed bug where readme file wouldn't be picked up if it had capital letters in the name. Fixed bug where readme wouldn't be shown when importing a new plugin. To upgrade, reupload ./admin/modules/config/pluginuploader.php and ./inc/languages/english/admin/config_pluginuploader.lang.php
27/05/12 - v1.1.1 -> v1.1.2 -> The Plugin Uploader can now be upgraded via the Plugin Uploader. To upgrade, reupload ./inc/plugins/pluginuploader.php, ./admin/modules/config/pluginuploader.php and ./inc/languages/english/admin/config_pluginuploader.lang.php

Preview Image 5573Preview Image 5575Preview Image 5574Preview Image 5576Preview Image 5577