miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
Bugs miniBB Support Forums / Bugs /   

Full Path Disclosure / XSRF

Author Guest
#1 | Posted: 6 Nov 2008 08:33 
Was notified of a full path disclosure vuln today.

http://www.minibb.com/forums/bb_func_checkusr.php

Anyway to show nothing when accessed by itself? I get 2 errors that show the path.

Warning: Invalid argument supplied for foreach() in /home/username/forum/bb_func_checkusr.php on line 12

Warning: preg_match() [function.preg-match]: Compilation failed: missing terminating ] for character class at offset 10 in /home/username/forum/bb_func_checkusr.php on line 24

----------------------------------------------------------

Also received this XSS/XSRF vuln. You need to be admin for this to work and know the admin page but still could be dangerous.

bb_admin.php?action=searchusers2&whatus="><script>alert(document.cookie)</script><a="&searchus=id

Author Paul
Lead Developer
#2 | Posted: 7 Nov 2008 05:12 
Guest:
You need to be admin for this to work and know the admin page but still could be dangerous.

Which way it could be dangerous? You as admin suppose to hack your own site? ;-) This is what we call a "pseudo" vulnerability and it has been reported to us earlier. We will fix it in the next stable version of miniBB (plan to start to work on it in November).

Regarding bb_func_checkusr.php you are right and the easy fix is that at the top of that file, right after <?php tag or below the Copyright comments, paste the line:

if (!defined('INCLUDED776')) die ('Fatal error.');

Truly, this full path won't give you a lot of possibilities to hack, but anyway, this is the error we will fix in the next release as well. Thanks for your report!

Bugs miniBB Support Forums / Bugs / Full Path Disclosure / XSRF Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

 ?
You are welcome to post anonymously, by entering a nickname with no password (if the similar Username has not been taken yet), or by leaving both fields empty. If you have a forums account, you can also sign in from this page without posting a message, or sign in and post at once.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Install the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB