15 years on The Web
miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Search | Statistics | Manual |
Bugs miniBB Support Forums / Bugs /   

Possible XSS in members list add-on

Author Guest
#1 | Posted: 29 Jul 2008 18:39 
Is this something to worry about? I get the same result in my forum and I am using an older version.


Author Guest
#2 | Posted: 29 Jul 2008 23:01 
I also just found this:


Any fix?

Author Paul
Lead Developer
#3 | Posted: 30 Jul 2008 03:14 
"plugin Rss Remote File Inclusion Vulnerability" from your second post was fixed in RSS add-on a long time ago.

Regarding the first XSS bug - this affects only Memberlist add-on and nothing else, and I wouldn't say there is something critical because such approach doesn't affect the database anyway. However I know there are some cases when it's possible to steal cookie that way and perform other impossible tasks, so I've just fixed the affected memberlist add-on with the following line:

$uniV=$memberSearchVal=htmlspecialchars($memberSearchVal, ENT_QUOTES);

which is put instead of

$uniV=htmlspecialchars($memberSearchVal, ENT_QUOTES);

The package in downloads is fixed as well.

Thank you for mentioning.

Bugs miniBB Support Forums / Bugs / Possible XSS in members list add-on Top
This topic is closed. New replies are not allowed.
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Proceed with the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB