miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
News & Announcements miniBB Support Forums / News & Announcements /   

Blind SQL injection fix

Author Paul
Lead Developer
#1 | Posted: 27 Nov 2014 00:25 | Edited by: Paul 
Kacper Szurek helped miniBB to grow more and reported about possible SQL injection in its core. I've updated the current version, containing the new script bb_func_unsub.php, this is one you need to update on your forums.

Details of update: this code

if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){

should look like this:

if(isset($_GET['code']) and preg_match("#^[a-zA-Z0-9]+$#", $_GET['code'])){

i.e. the regular expression should have ^ and $ inside regexp.

This issue might be critical, so I'd recommend to every miniBB admin to apply it ASAP.

Also, in the nearest time, hopefully, I'll post an updated 3.1.1 version, covering small bugs and issues of the 3.1 release.

Stay tuned!

Author jtalk
Registered
#2 | Posted: 31 Jan 2015 05:00 | Edited by: jtalk 
hey Paul, I know you're working hard on 3.1.1 but I wanted to what some of those small bugs were

thanks

Edit: will it be possible to manually upgrade to 3.1.1? like making the changes you listed in your post

Author Jaime
Registered
#3 | Posted: 31 Jan 2015 11:12 
If it hads critical errors, Paul would have already done. So i can wait reassured. Previously, there was Paul always detailed information for a manual update ... and i am sure that he this will not change!

Author Paul
Lead Developer
#4 | Posted: 31 Jan 2015 15:36 
The information about changes in 3.1.1 will be provided in the same manner as for any other release. Bugs are truly not critical and rather not related to security issues.

Author Paul
Lead Developer
#5 | Posted: 31 Jan 2015 22:23 
BTW, the issue I describe in the very first post, is already included in 3.1.

News & Announcements miniBB Support Forums / News & Announcements / Blind SQL injection fix Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

 ?
Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB