miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
News & Announcements miniBB Support Forums / News & Announcements /   

Memberlist add-on updated (XSS issue)

Author Paul
Lead Developer
#1 | Posted: 6 Oct 2008 04:54 | Edited by: Paul 
Members list add-on for miniBB was recently updated because of the possible XSS attack. Despite this issue is very minor and hard to achieve the proper effect, we recommend everybody using this add-on make necessary update of the core addon_members2.php file.

In this file, there are two line fixes of the received variable output:

$morder=(isset($_GET['morder'])?$_GET['morder']:'username');

becomes

$morder=(isset($_GET['morder'])?htmlspecialchars($_GET['morder'], ENT_QUOTES):'username');

and

$memberSearch=(isset($_GET['memberSearch'])?$_GET['memberSearch']:'');

becomes

$memberSearch=(isset($_GET['memberSearch'])?htmlspecialchars($_GET['memberSearch'], ENT_QUOTES):'');

I don't know whom to thank for discovering of this issue because we have received few simultaneous reports from various sources regarding it. Anyway to whom it may appeal: thank you :-)

Let us know if the patch applied will bring new issues.

News & Announcements miniBB Support Forums / News & Announcements / Memberlist add-on updated (XSS issue) Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

 ?
Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Install the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB