miniBB ® 

miniBB

®
Support Forums		   
 | Start | Register | Search | Statistics | File Bank | Manual |
Bugs miniBB Support Forums / Bugs /  
 

Full Path Disclosure - Array.

 
Author Corey
Partaker		 #1 | Posted: 21 Dec 2007 12:16
https://www.minibb.com/forums/index.php?action=stats&top=1&days=60&lst[]
Fatal error: Unsupported operand types in /home/minibb/public_html/forums/bb_func_stats.php on line 37

https://www.minibb.com/forums/index.php?action=stats&top[]
Fatal error: Unsupported operand types in /home/minibb/public_html/forums/bb_func_stats.php on line 37

https://www.minibb.com/forums/index.php?action=userinfo&user[]
Fatal error: Unsupported operand types in /home/minibb/public_html/forums/bb_func_usernfo.php on line 11

https://www.minibb.com/forums/index.php?action=checker&step=editsettings&isNew[]
Fatal error: Unsupported operand types in /home/minibb/public_html/forums/addon_checker.php on line 860

Author Corey
Partaker		 #2 | Posted: 21 Dec 2007 12:26
http://minibb.org/minibb-test.php?action=vthread&forum=3&topic=695&page[]
Fatal error: Unsupported operand types in /data/minibbtest/minibb-test.php on line 70

http://minibb.org/minibb-test.php?action=vthread&forum=3&topic[]
Fatal error: Unsupported operand types in /data/minibbtest/minibb-test.php on line 69

http://minibb.org/minibb-test.php?action=vthread&forum[]
Fatal error: Unsupported operand types in /data/minibbtest/minibb-test.php on line 67

Author Sergei
Team member		 #3 | Posted: 25 Dec 2007 12:02
hello.. yes, but you're using topic and forum as arrays. So what kind of behavior do you expect?

Author Paul
Lead Developer 		 #4 | Posted: 27 Dec 2007 08:25
I must agree this bug exists, however there will be still no solution for it and we will release it only when the new release of miniBB comes out next year. Basically it would be needed to fix each and every file where such integer variable setting happens, and there are a lot of these files.

In general on each "normal" hosting all PHP errors must be supressed in the configuration so most likely you won't even see such error reporting.

I have checked some major scripts like punBB or WordPress or vBulletin (and/or their add-ons) and it appears all of them can be 'vulnerable' because of this issue as well.

First I thought it is a PHP bug because it is strange that PHP which works so transparently with the operand types, and it shuts down on such simple confusion.

However to avoid confusion of the users I would mention this is not a critical bug and even knowing direct path to the scripts on the server means nothing until you have access to this path (and I suppose only folder's owner can have such access, else we could call it an insecure hosting).

Author Paul
Lead Developer 		 #5 | Posted: 19 Feb 2008 09:54
This bug was hopefully fixed in the miniBB 2.2. All official add-ons were updated as well.

Bugs miniBB Support Forums / Bugs /
 Full Path Disclosure - Array.
 Share Topic's Link

This topic is closed. New replies are not allowed.

 
 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Try the Captcha add-on: protect your miniBB-forums from the automated spam and flood.