miniBB ver. 2.5a released: SQL injection and XSS fixes

As it was recently reported by "High Tech Bridge" website, respectively, issue #HTB22671 and #HTB22670, there were found an XSS and SQL injection vulnerabilities, which are fixed in this release.

The files to fix are bb_func_usrdat.php (which you simply may overwrite to your existing file), and bb_codes.php, specifically, BB codes for [img] and [imgs] tags containing a possible ALT.

For fixing BB codes, locate the following and update your file, in the function enCodeBB() only.

It was:

/* local images - allowed for everybody */

...

/* fixed width and ALT */
$pattern[]='#\[imgs=('.$dotsSiteUrl.'[^<> \n\r\[\]&]+?)\.(gif|jpg|jpeg|png)\](.+?)\[/imgs\]#i';

...

/* Non-declared code - without fixed width, with mandatory alt */
$pattern[]='#\[img=('.$dotsSiteUrl.'[^<> \n\r\[\]&]+?)\.(gif|jpg|jpeg|png)\](.+?)\[/img\]#i';

/* external images - only allowed the proper extensions and codes by permission */

...

/* fixed width and ALT */
$pattern[]="/\[imgs=(http[s]*:\/\/([^<> \n\r\[\]&]+?)\.(gif|jpg|jpeg|png))\](.+?)\[\/imgs\]/i";

...

/* Non-declared code - without fixed width, with alt - external images */
$pattern[]="/\[img=(http[s]
*:\/\/([^<> \n\r\[\]&]+?)\.(gif|jpg|jpeg|png))\](.+?)\[\/img\]/i";

It is now:

/* local images - allowed for everybody */

...

/* fixed width and ALT */
$pattern[]='#\[imgs=('.$dotsSiteUrl.'[^<> \n\r\[\]&]+?)\.(gif|jpg|jpeg|png)\]([^<>\n\r\[\]&=/"\']
+?)\[/imgs\]#i';

...

/* Non-declared code - without fixed width, with mandatory alt */
$pattern[]='#\[img=('.$dotsSiteUrl.'[^<> \n\r\[\]&]+?)\.(gif|jpg|jpeg|png)\]([^<>\n\r\[\]&=/"\']
+?)\[/img\]#i';

...

/* external images - only allowed the proper extensions and codes by permission */

...

/* fixed width and ALT */
$pattern[]="/\[imgs=(http[s]*:\/\/([^<> \n\r\[\]&]+?)\.(gif|jpg|jpeg|png))\]([^<>\n\r\[\]&=\/\"']+?)\[\/imgs\]/i";

...

/* Non-declared code - without fixed width, with alt - external images */
$pattern[]="/\[img=(http[s]
*:\/\/([^<> \n\r\[\]&]+?)\.(gif|jpg|jpeg|png))\]([^<>\n\r\[\]&=\/\"']+?)\[\/img\]/i";

Please report if you find any troubles with it, or any new issues.

Download miniBB 2.5a and upgrade today! Despite I can't find the "right" door for these issues, it doesn't mean there are no talented hackers around which could compromise your forum.

	miniBB Support Forums / News /
	miniBB ver. 2.5a released: SQL injection and XSS fixes

	Paul Lead Developer	#1 \| Posted: 5 Nov 2010 06:38
		As it was recently reported by "High Tech Bridge" website, respectively, issue #HTB22671 and #HTB22670, there were found an XSS and SQL injection vulnerabilities, which are fixed in this release. The files to fix are bb_func_usrdat.php (which you simply may overwrite to your existing file), and bb_codes.php, specifically, BB codes for [img] and [imgs] tags containing a possible ALT. For fixing BB codes, locate the following and update your file, in the function enCodeBB() only. It was: /* local images - allowed for everybody / ... / fixed width and ALT / $pattern[]='#\[imgs=('.$dotsSiteUrl.'[^<> \n\r\[\]&]+?)\.(gif\|jpg\|jpeg\|png)\](.+?)\[/imgs\]#i'; ... / Non-declared code - without fixed width, with mandatory alt / $pattern[]='#\[img=('.$dotsSiteUrl.'[^<> \n\r\[\]&]+?)\.(gif\|jpg\|jpeg\|png)\](.+?)\[/img\]#i'; / external images - only allowed the proper extensions and codes by permission / ... / fixed width and ALT / $pattern[]="/\[imgs=(http[s]:\/\/([^<> \n\r\[\]&]+?)\.(gif\|jpg\|jpeg\|png))\](.+?)\[\/imgs\]/i"; ... /* Non-declared code - without fixed width, with alt - external images / $pattern[]="/\[img=(http[s] :\/\/([^<> \n\r\[\]&]+?)\.(gif\|jpg\|jpeg\|png))\](.+?)\[\/img\]/i"; It is now: /* local images - allowed for everybody / ... / fixed width and ALT / $pattern[]='#\[imgs=('.$dotsSiteUrl.'[^<> \n\r\[\]&]+?)\.(gif\|jpg\|jpeg\|png)\]([^<>\n\r\[\]&=/"\'] +?)\[/imgs\]#i'; ... / Non-declared code - without fixed width, with mandatory alt / $pattern[]='#\[img=('.$dotsSiteUrl.'[^<> \n\r\[\]&]+?)\.(gif\|jpg\|jpeg\|png)\]([^<>\n\r\[\]&=/"\'] +?)\[/img\]#i'; ... / external images - only allowed the proper extensions and codes by permission / ... / fixed width and ALT / $pattern[]="/\[imgs=(http[s]:\/\/([^<> \n\r\[\]&]+?)\.(gif\|jpg\|jpeg\|png))\]([^<>\n\r\[\]&=\/\"']+?)\[\/imgs\]/i"; ... /* Non-declared code - without fixed width, with alt - external images / $pattern[]="/\[img=(http[s] :\/\/([^<> \n\r\[\]&]+?)\.(gif\|jpg\|jpeg\|png))\]([^<>\n\r\[\]&=\/\"']+?)\[\/img\]/i"; Please report if you find any troubles with it, or any new issues. Download miniBB 2.5a and upgrade today! Despite I can't find the "right" door for these issues, it doesn't mean there are no talented hackers around which could compromise your forum.

	Paul Lead Developer	#2 \| Posted: 9 Nov 2010 11:24
		A little update to this: bb_func_usrdat.php file was re-fixed today to fix a bug over a bugfix :-) Please update it once again.

	jontrac Partaker	#3 \| Posted: 9 Nov 2010 20:24
		Thanks for the update Paul.

	astass Partaker	#4 \| Posted: 20 Sep 2011 08:59
		XSS vulnerability in a file and is not resolved - bb_codes_sig.php ( Signatures) http://forum.anabot.ru/12/537/0.html: lines: /* [IMGS] tag code - with fixed width and ALT / $pattern[]="/\[img=(http:\/\/([^<> \n\r\[\]&]+?)\.?(gif\|jpg\|jpeg\|png)?)\](.?)*\[\/img\]/i"; should be: / [IMGS] tag code - with fixed width and ALT / $pattern[]="/\[img=(http:\/\/([^<> \n\r\[\]&]+?)\.?(gif\|jpg\|jpeg\|png)?)\]([^<>\n\r\[\]&=\/\"']+?)\[\/img\]/i"; The site administrator anabot* found and made the corrections. I hope many will benefit.

	Paul Lead Developer	#5 \| Posted: 20 Sep 2011 12:13
		Thank you. Now it is fixed :)


	Home Features Requirements Demo Download Showcase Gallery of Arts Compiler Premium Extensions Premium Support License Contact Us

miniBB

miniBB ver. 2.5a released: SQL injection and XSS fixes

Your Reply