miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
Bugs miniBB Support Forums / Bugs /   

miniBB 3.x Addon preview Remote File Include Vulnerability

Author Dransil
#1 | Posted: 17 Mar 2014 02:11 
I'm not looking to stir any trouble but I often search for exploits/vulns concerning the software that I personally use/run and I came across this today on an exploits-for-sale website, this particular exploit is being offered for free currently:
Found vulnerable code in file addon_preview.php line: 12
So an attacker can use it to compromise the system.
Not declared before &require parameter is: $pathToFiles
h t t p : / / [target]/[dir]/addon_preview.php?pathToFiles=[SHELL]

Author Paul
Lead Developer
#2 | Posted: 18 Mar 2014 22:25 | Edited by: Paul 
Thanks for this.

The only fix to provide is to put this line on top of execution of addon_preview.php:

if (!defined('INCLUDED776')) die ('Fatal error.');

Possibly this was out from the very ancient times, and the exploit actually will work only if PHP's setting register_globals is set to ON, which nowadays, obviously, met truly rarely on hostings. Also, it would work only on miniBB installations which would have Preview add-on installed.

I've updated the official package regarding this fix. Thanks again.

Bugs miniBB Support Forums / Bugs / miniBB 3.x Addon preview Remote File Include Vulnerability Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.

Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB