As reported today by our customer, recently an issue has been posted on security focus site which can be found under the URL:
http://www.securityfocus.com/bid/24503/infoIt says the issue is about "Input Validation Error" and the code under "Exploit" section provides the algorithm, which tries to register on miniBB forums and instead of 3-chars language value supply the path and name of the file which could be included later as the "language" file, that way its content could be shown to the attacker.
I may be wrong, I may be true, but here is what I think: this is just another "fake" hack which just emulates the understanding that there is something vulnerable, at the time there is nothing vulnerable at all.
I've met couple of such hacks in the past.
Now, mine proof-of-concept:
1. Exploit page says "
Attackers can use a browser to exploit this issue", but the code provided does not allow it at all. The hack suggests to run itself in the command line. In general, you may use the browser submitting your own "modified" registration page where the language value is substituted, however this does not change things a lot. Read below.
2. The code supplied tries to substitute $language variable with the file name to include. It is obvious that variable $language is not checked in the bb_func_regusr.php file which handles the registration process, however it is doubtful that it will work.
First, a database field can handle just 3 chars (as by default in miniBB's structure). mySQL will cut off this value down to 3 chars not depending what is specified.
Second, even if the database scructure would allow your script to save "language" value in database this way, this value is stripped of slashes, backslashes and dots in index.php before including the file. See the checking routine right after the string in index.php which says
user_logged_in();
As a result I would like to read other opinions regarding this case... before issuing "a solution" :-) Maybe the solution would be just to post on securityfocus that another student from Iran crashed his reputation in the hackers underground.