minibb®
Fight the automated spam - protect your miniBB-forums,
getting the Captcha addon! Click here to read more.		Captcha Addon for miniBB
Community Forum
 | Forums | File Bank | Sign Up | Reply | Search | Statistics | Manual |
News & Announcements miniBB Community Forum / News & Announcements /

miniBB version 2.1a released - security fix
 
Paul
CEO
#1 | Posted: 30 Oct 2007 02:56
Reply 
Recently it has been discovered that there is a little defect in miniBB's code which in theory allows to execute remote SQL.

Currently this bug is fixed in 2.1a.

The manual fix is: modify bb_func_search.php and locate the following code:

if(isset($_GET['where'])) $where=$_GET['where']+0; else $where=0;

after that code paste the line:

if($where!=0 and $where!=1) $where=0;

The mentioned Exploit will work (again) only in those cases if you or your provider are not carrying about the security on the server and upon installing the software:

1) if register_globals of php.ini is set to ON (not recommended by PHP team)

2) if via installation of miniBB you have not renamed default table names as it is recommended by miniBB team.
 
Your reply
Bold Style  Italic Style  Image Link  URL Link 


» Username  » Password 
You are welcome to post anonymously by entering a nickname with no password (if that nickname has not been taken by another member) or by leaving both fields empty. If you have a forums membership account, you can also sign in from this page without posting a message, or sign in and post at once.

Before posting, be sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
Online now: Guests - 19
Members - 0 		Most users ever online: 191 [24 Dec 2007 14:33]
Guests - 191 / Members - 0

Forums are powered by miniBB®