miniBB ®

miniBB

®
Support Forums		   
 · Start · Sign in · Register · Search · Statistics · File Bank · Manual ·
Bugs miniBB Support Forums / Bugs /  
 

Possible XSS in members list add-on

 
Author Guest
~		 #1 · Posted: 29 Jul 2008 18:39
Is this something to worry about? I get the same result in my forum and I am using an older version.

https://www.minibb.com/forums/index.php?memberSearchVal=%22%3E%3Ch1%3EXSS%3C/h1%3E&memberSearch=user_id&action=members

Author Guest
~		 #2 · Posted: 29 Jul 2008 23:01
I also just found this:

http://packetstormsecurity.org/0807-exploits/minibbrss-rfi.txt

Any fix?

Author Paul
Lead Lead Developer		 #3 · Posted: 30 Jul 2008 03:14
"plugin Rss Remote File Inclusion Vulnerability" from your second post was fixed in RSS add-on a long time ago.

Regarding the first XSS bug - this affects only Memberlist add-on and nothing else, and I wouldn't say there is something critical because such approach doesn't affect the database anyway. However I know there are some cases when it's possible to steal cookie that way and perform other impossible tasks, so I've just fixed the affected memberlist add-on with the following line:

$uniV=$memberSearchVal=htmlspecialchars($memberSearchVal, ENT_QUOTES);
which is put instead of

$uniV=htmlspecialchars($memberSearchVal, ENT_QUOTES);
The package in downloads is fixed as well.

Thank you for mentioning.

Bugs miniBB Support Forums / Bugs /
 Possible XSS in members list add-on
 Share Topic's Link

This topic is closed. New replies are not allowed.

 
 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Did you know that you may be allowed to hide miniBB credits and remove miniBB's copyright notice?