Full Path Disclosure / XSRF

Was notified of a full path disclosure vuln today.

http://www.minibb.com/forums/bb_func_checkusr.php

Anyway to show nothing when accessed by itself? I get 2 errors that show the path.

Warning: Invalid argument supplied for foreach() in /home/username/forum/bb_func_checkusr.php on line 12

Warning: preg_match() [function.preg-match]: Compilation failed: missing terminating ] for character class at offset 10 in /home/username/forum/bb_func_checkusr.php on line 24

----------------------------------------------------------

Also received this XSS/XSRF vuln. You need to be admin for this to work and know the admin page but still could be dangerous.

bb_admin.php?action=searchusers2&whatus="><script>alert(document.cookie)</script><a="&searchus=id

Which way it could be dangerous? You as admin suppose to hack your own site? ;-) This is what we call a "pseudo" vulnerability and it has been reported to us earlier. We will fix it in the next stable version of miniBB (plan to start to work on it in November).

Regarding bb_func_checkusr.php you are right and the easy fix is that at the top of that file, right after <?php tag or below the Copyright comments, paste the line:


Truly, this full path won't give you a lot of possibilities to hack, but anyway, this is the error we will fix in the next release as well. Thanks for your report!