minibb®
Fight the automated spam - protect your miniBB-forums,
getting the Captcha addon! Click here to read more.		Captcha Addon for miniBB
Community Forum
 | Forums | File Bank | Sign Up | Search | Statistics | Manual |
Bugs miniBB Community Forum / Bugs /

Possible XSS in members list add-on
 
Guest
#1 | Posted: 29 Jul 2008 18:39
Is this something to worry about? I get the same result in my forum and I am using an older version.

http://www.minibb.com/forums/index.php?memberSearchVal=%22%3E%3Ch1%3EXSS%3C/h1%3E&memberSearch=user_id&action=members
Guest
#2 | Posted: 29 Jul 2008 23:01
I also just found this:

http://packetstormsecurity.org/0807-exploits/minibbrss-rfi.txt

Any fix?
Paul
CEO
#3 | Posted: 30 Jul 2008 03:14
"plugin Rss Remote File Inclusion Vulnerability" from your second post was fixed in RSS add-on a long time ago.

Regarding the first XSS bug - this affects only Memberlist add-on and nothing else, and I wouldn't say there is something critical because such approach doesn't affect the database anyway. However I know there are some cases when it's possible to steal cookie that way and perform other impossible tasks, so I've just fixed the affected memberlist add-on with the following line:

$uniV=$memberSearchVal=htmlspecialchars($memberSearchVal, ENT_QUOTES);

which is put instead of

$uniV=htmlspecialchars($memberSearchVal, ENT_QUOTES);

The package in downloads is fixed as well.

Thank you for mentioning.
 
This topic is closed. You can't post a reply.
 
Online now: Guests - 22
Members - 0 		Most users ever online: 191 [24 Dec 2007 14:33]
Guests - 191 / Members - 0

Forums are powered by miniBB®