miniBB 2.2b release and Captcha add-on updates (minor security fixes)

As it was recently reported, and security issue provided by 'Rino', miniBB can be exploited to execute intrusion JavaScript code.

I personally think despite their theory, these issues are very vague and hard to imitate in practice. Anyway carrying about secure software, we weren't brave to ignore them and did the following updates:

1) In the Human Authorization (Captcha) add-on, there is a minor update in addon_authorize.php file. Please note we didn't change the version of the add-on because this issue doesn't affect any kind of the new development in this add-on. Premium customers will just need to download the version from their downloads area and overwrite this file.

2) In the miniBB core, there is update regarding bb_cookie.php file's function called getMyCookie. The new condition now will strictly deny any kind of cookie containing < or > signs (which are required to put if you execute JavaScript plant (previously, there was a security fix only removing clear slashes in the username).

These issues have very low practical importance, however I hope they will be appreciated by a hacking theory followers ;-)

	miniBB Community Forum / News & Announcements /	Short link for this topic:
miniBB 2.2b release and Captcha add-on updates (minor security fixes)

	Paul CEO	#1 \| Posted: 2 Oct 2008 09:58
As it was recently reported, and security issue provided by 'Rino', miniBB can be exploited to execute intrusion JavaScript code. I personally think despite their theory, these issues are very vague and hard to imitate in practice. Anyway carrying about secure software, we weren't brave to ignore them and did the following updates: 1) In the Human Authorization (Captcha) add-on, there is a minor update in addon_authorize.php file. Please note we didn't change the version of the add-on because this issue doesn't affect any kind of the new development in this add-on. Premium customers will just need to download the version from their downloads area and overwrite this file. 2) In the miniBB core, there is update regarding bb_cookie.php file's function called getMyCookie. The new condition now will strictly deny any kind of cookie containing < or > signs (which are required to put if you execute JavaScript plant (previously, there was a security fix only removing clear slashes in the username). These issues have very low practical importance, however I hope they will be appreciated by a hacking theory followers ;-)

	Rino Forums Member	#2 \| Posted: 2 Oct 2008 11:29
I was the one who found these two flaws. They are fixed now and I am reading the miniBB source to see if there are more flaws.

	Paul CEO	#3 \| Posted: 2 Oct 2008 11:36 \| Edited by: Paul
Rino Thank you Rino, once again. Don't hesitate to mention any credit you want.

	lvalics Forums Member	#4 \| Posted: 11 Oct 2008 15:52
how do I get the new version? I paid for this some time ago.

	Paul CEO	#5 \| Posted: 13 Oct 2008 03:06
lvalics If you don't have access to our customers downloads area, contact us providing your order number, and we will send them by email.