miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
News miniBB Support Forums / News /  
 

Memberlist add-on updated (XSS issue)

 
Author Paul
Lead Developer 
#1 | Posted: 6 Oct 2008 04:54 
Members list add-on for miniBB was recently updated because of the possible XSS attack. Despite this issue is very minor and hard to achieve the proper effect, we recommend everybody using this add-on make necessary update of the core addon_members2.php file.

In this file, there are two line fixes of the received variable output:

$morder=(isset($_GET['morder'])?$_GET['morder']:'username');
becomes

$morder=(isset($_GET['morder'])?htmlspecialchars($_GET['morder'], ENT_QUOTES):'username');
and

$memberSearch=(isset($_GET['memberSearch'])?$_GET['memberSearch']:'');
becomes

$memberSearch=(isset($_GET['memberSearch'])?htmlspecialchars($_GET['memberSearch'], ENT_QUOTES):'');
I don't know whom to thank for discovering of this issue because we have received few simultaneous reports from various sources regarding it. Anyway to whom it may appeal: thank you :-)

Let us know if the patch applied will bring new issues.

News miniBB Support Forums / News /
 Memberlist add-on updated (XSS issue)
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Proceed with the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑