miniBB Support Forums | 15 years on The Web
miniBB ®

miniBB

®
  
 | Begin | Register | Reply | Search | Statistics | Manual |
Tidings miniBB Support Forums / Tidings /   
 

Memberlist add-on updated (XSS issue)

 
Author Paul
Lead Developer
#1 | Posted: 6 Oct 2008 04:54 | Edited by: Paul 
Members list add-on for miniBB was recently updated because of the possible XSS attack. Despite this issue is very minor and hard to achieve the proper effect, we recommend everybody using this add-on make necessary update of the core addon_members2.php file.

In this file, there are two line fixes of the received variable output:

$morder=(isset($_GET['morder'])?$_GET['morder']:'username');

becomes

$morder=(isset($_GET['morder'])?htmlspecialchars($_GET['morder'], ENT_QUOTES):'username');

and

$memberSearch=(isset($_GET['memberSearch'])?$_GET['memberSearch']:'');

becomes

$memberSearch=(isset($_GET['memberSearch'])?htmlspecialchars($_GET['memberSearch'], ENT_QUOTES):'');

I don't know whom to thank for discovering of this issue because we have received few simultaneous reports from various sources regarding it. Anyway to whom it may appeal: thank you :-)

Let us know if the patch applied will bring new issues.

Tidings miniBB Support Forums / Tidings /
 Memberlist add-on updated (XSS issue)
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


 ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Proceed with the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
↑ TOP