miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
News miniBB Support Forums / News /  
 

Blind SQL injection fix

 
Author Paul
Lead Developer 
#1 | Posted: 27 Nov 2014 00:25 
Kacper Szurek helped miniBB to grow more and reported about possible SQL injection in its core. I've updated the current version, containing the new script bb_func_unsub.php, this is one you need to update on your forums.

Details of update: this code

if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){
should look like this:

if(isset($_GET['code']) and preg_match("#^[a-zA-Z0-9]+$#", $_GET['code'])){
i.e. the regular expression should have ^ and $ inside regexp.

This issue might be critical, so I'd recommend to every miniBB admin to apply it ASAP.

Also, in the nearest time, hopefully, I'll post an updated 3.1.1 version, covering small bugs and issues of the 3.1 release.

Stay tuned!

Author jtalk
Partaker
#2 | Posted: 31 Jan 2015 05:00 
hey Paul, I know you're working hard on 3.1.1 but I wanted to what some of those small bugs were

thanks

Edit: will it be possible to manually upgrade to 3.1.1? like making the changes you listed in your post

Author Jaime
Partaker
#3 | Posted: 31 Jan 2015 11:12 
If it hads critical errors, Paul would have already done. So i can wait reassured. Previously, there was Paul always detailed information for a manual update ... and i am sure that he this will not change!

Author Paul
Lead Developer 
#4 | Posted: 31 Jan 2015 15:36 
The information about changes in 3.1.1 will be provided in the same manner as for any other release. Bugs are truly not critical and rather not related to security issues.

Author Paul
Lead Developer 
#5 | Posted: 31 Jan 2015 22:23 
BTW, the issue I describe in the very first post, is already included in 3.1.

News miniBB Support Forums / News /
 Blind SQL injection fix
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Install the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑