miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
Bugs miniBB Support Forums / Bugs /   

[?] Is it a file inclusion bug or not

Author Paul
Lead Developer
#1 | Posted: 19 Jun 2007 04:43 
As reported today by our customer, recently an issue has been posted on security focus site which can be found under the URL:

It says the issue is about "Input Validation Error" and the code under "Exploit" section provides the algorithm, which tries to register on miniBB forums and instead of 3-chars language value supply the path and name of the file which could be included later as the "language" file, that way its content could be shown to the attacker.

I may be wrong, I may be true, but here is what I think: this is just another "fake" hack which just emulates the understanding that there is something vulnerable, at the time there is nothing vulnerable at all.

I've met couple of such hacks in the past.

Now, mine proof-of-concept:

1. Exploit page says "Attackers can use a browser to exploit this issue", but the code provided does not allow it at all. The hack suggests to run itself in the command line. In general, you may use the browser submitting your own "modified" registration page where the language value is substituted, however this does not change things a lot. Read below.

2. The code supplied tries to substitute $language variable with the file name to include. It is obvious that variable $language is not checked in the bb_func_regusr.php file which handles the registration process, however it is doubtful that it will work.

First, a database field can handle just 3 chars (as by default in miniBB's structure). mySQL will cut off this value down to 3 chars not depending what is specified.

Second, even if the database scructure would allow your script to save "language" value in database this way, this value is stripped of slashes, backslashes and dots in index.php before including the file. See the checking routine right after the string in index.php which says


As a result I would like to read other opinions regarding this case... before issuing "a solution" :-) Maybe the solution would be just to post on securityfocus that another student from Iran crashed his reputation in the hackers underground.

Bugs miniBB Support Forums / Bugs / [?] Is it a file inclusion bug or not Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.

Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB