miniBB Support Forums | 15 years on The Web
miniBB ®


 | Forums | Register | Reply | Search | Statistics | Manual |
News & Announcements miniBB Support Forums / News & Announcements /   

miniBB version 2.1a released - security fix

Author Paul
Lead Developer
#1 | Posted: 30 Oct 2007 02:56 
Recently it has been discovered that there is a little defect in miniBB's code which in theory allows to execute remote SQL.

Currently this bug is fixed in 2.1a.

The manual fix is: modify bb_func_search.php and locate the following code:

if(isset($_GET['where'])) $where=$_GET['where']+0; else $where=0;

after that code paste the line:

if($where!=0 and $where!=1) $where=0;

The mentioned Exploit will work (again) only in those cases if you or your provider are not carrying about the security on the server and upon installing the software:

1) if register_globals of php.ini is set to ON (not recommended by PHP team)

2) if via installation of miniBB you have not renamed default table names as it is recommended by miniBB team.

News & Announcements miniBB Support Forums / News & Announcements /
 miniBB version 2.1a released - security fix
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message

You are welcome to post anonymously, by entering a nickname with no password (if the similar Username has not been taken yet), or by leaving both fields empty. If you have a forums account, you can also sign in from this page without posting a message, or sign in and post at once.

Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.

miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.