minibb®
Fight the automated spam - protect your miniBB-forums,
getting the Captcha addon! Click here to read more.		Captcha Addon for miniBB
Community Forum
 | Forums | File Bank | Sign Up | Reply | Search | Statistics | Manual |
News & Announcements miniBB Community Forum / News & Announcements /

Memberlist add-on updated (XSS issue)
 
Paul
CEO
#1 | Posted: 6 Oct 2008 04:54 | Edited by: Paul
Reply 
Members list add-on for miniBB was recently updated because of the possible XSS attack. Despite this issue is very minor and hard to achieve the proper effect, we recommend everybody using this add-on make necessary update of the core addon_members2.php file.

In this file, there are two line fixes of the received variable output:

$morder=(isset($_GET['morder'])?$_GET['morder']:'username');

becomes

$morder=(isset($_GET['morder'])?htmlspecialchars($_GET['morder'], ENT_QUOTES):'username');

and

$memberSearch=(isset($_GET['memberSearch'])?$_GET['memberSearch']:'');

becomes

$memberSearch=(isset($_GET['memberSearch'])?htmlspecialchars($_GET['memberSearch'], ENT_QUOTES):'');

I don't know whom to thank for discovering of this issue because we have received few simultaneous reports from various sources regarding it. Anyway to whom it may appeal: thank you :-)

Let us know if the patch applied will bring new issues.
 
Your reply
Bold Style  Italic Style  Image Link  URL Link 


» Username  » Password 
You are welcome to post anonymously by entering a nickname with no password (if that nickname has not been taken by another member) or by leaving both fields empty. If you have a forums membership account, you can also sign in from this page without posting a message, or sign in and post at once.

Before posting, be sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
Online now: Guests - 23
Members - 0 		Most users ever online: 191 [24 Dec 2007 14:33]
Guests - 191 / Members - 0

Forums are powered by miniBB®