minibb®
Fight the automated spam - protect your miniBB-forums,
getting the Captcha addon! Click here to read more.		Captcha Addon for miniBB
Community Forum
 | Forums | File Bank | Sign Up | Reply | Search | Statistics | Manual |
News & Announcements miniBB Community Forum / News & Announcements /

miniBB 2.2b release and Captcha add-on updates (minor security fixes)
 
Paul
CEO
#1 | Posted: 2 Oct 2008 09:58
Reply 
As it was recently reported, and security issue provided by 'Rino', miniBB can be exploited to execute intrusion JavaScript code.

I personally think despite their theory, these issues are very vague and hard to imitate in practice. Anyway carrying about secure software, we weren't brave to ignore them and did the following updates:

1) In the Human Authorization (Captcha) add-on, there is a minor update in addon_authorize.php file. Please note we didn't change the version of the add-on because this issue doesn't affect any kind of the new development in this add-on. Premium customers will just need to download the version from their downloads area and overwrite this file.

2) In the miniBB core, there is update regarding bb_cookie.php file's function called getMyCookie. The new condition now will strictly deny any kind of cookie containing < or > signs (which are required to put if you execute JavaScript plant (previously, there was a security fix only removing clear slashes in the username).

These issues have very low practical importance, however I hope they will be appreciated by a hacking theory followers ;-)
Rino
Forums Member
#2 | Posted: 2 Oct 2008 11:29
Reply 
I was the one who found these two flaws. They are fixed now and I am reading the miniBB source to see if there are more flaws.
Paul
CEO
#3 | Posted: 2 Oct 2008 11:36 | Edited by: Paul
Reply 
Rino
Thank you Rino, once again. Don't hesitate to mention any credit you want.
lvalics
Forums Member
#4 | Posted: 11 Oct 2008 15:52
Reply 
how do I get the new version?
I paid for this some time ago.
Paul
CEO
#5 | Posted: 13 Oct 2008 03:06
Reply 
lvalics
If you don't have access to our customers downloads area, contact us providing your order number, and we will send them by email.
 
Your reply
Bold Style  Italic Style  Image Link  URL Link 


» Username  » Password 
You are welcome to post anonymously by entering a nickname with no password (if that nickname has not been taken by another member) or by leaving both fields empty. If you have a forums membership account, you can also sign in from this page without posting a message, or sign in and post at once.

Before posting, be sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
Online now: Guests - 21
Members - 0 		Most users ever online: 191 [24 Dec 2007 14:33]
Guests - 191 / Members - 0

Forums are powered by miniBB®