miniBB Support Forums | 16 years on The Web
miniBB ® 


 | Begin | Register | Reply | Search | Statistics | File Bank | Manual |
Bugs miniBB Support Forums / Bugs /   

Full Path Disclosure / XSRF

Author Guest
#1 | Posted: 6 Nov 2008 08:33 
Was notified of a full path disclosure vuln today.

Anyway to show nothing when accessed by itself? I get 2 errors that show the path.

Warning: Invalid argument supplied for foreach() in /home/username/forum/bb_func_checkusr.php on line 12

Warning: preg_match() [function.preg-match]: Compilation failed: missing terminating ] for character class at offset 10 in /home/username/forum/bb_func_checkusr.php on line 24


Also received this XSS/XSRF vuln. You need to be admin for this to work and know the admin page but still could be dangerous.


Author Paul
Lead Developer
#2 | Posted: 7 Nov 2008 05:12 
You need to be admin for this to work and know the admin page but still could be dangerous.

Which way it could be dangerous? You as admin suppose to hack your own site? ;-) This is what we call a "pseudo" vulnerability and it has been reported to us earlier. We will fix it in the next stable version of miniBB (plan to start to work on it in November).

Regarding bb_func_checkusr.php you are right and the easy fix is that at the top of that file, right after <?php tag or below the Copyright comments, paste the line:

if (!defined('INCLUDED776')) die ('Fatal error.');

Truly, this full path won't give you a lot of possibilities to hack, but anyway, this is the error we will fix in the next release as well. Thanks for your report!

Bugs miniBB Support Forums / Bugs /
 Full Path Disclosure / XSRF
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message

Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.

Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.


miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.