Members list add-on for miniBB was recently updated because of the possible XSS attack. Despite this issue is very minor and hard to achieve the proper effect, we recommend everybody using this add-on make necessary update of the core
addon_members2.php file.
In this file, there are two line fixes of the received variable output:
$morder=(isset($_GET['morder'])?$_GET['morder']:'username');
becomes
$morder=(isset($_GET['morder'])?htmlspecialchars($_GET['morder'], ENT_QUOTES):'username');
and
$memberSearch=(isset($_GET['memberSearch'])?$_GET['memberSearch']:'');
becomes
$memberSearch=(isset($_GET['memberSearch'])?htmlspecialchars($_GET['memberSearch'], ENT_QUOTES):'');
I don't know whom to thank for discovering of this issue because we have received few simultaneous reports from various sources regarding it. Anyway to whom it may appeal: thank you :-)
Let us know if the patch applied will bring new issues.
