miniBB version 2.1a released

Recently it has been discovered that there is a little defect in miniBB's code which in theory allows to execute remote SQL.

Currently this bug is fixed in 2.1a.

The manual fix is: modify bb_func_search.php and locate the following code:

if(isset($_GET['where'])) $where=$_GET['where']+0; else $where=0;

after that code paste the line:

if($where!=0 and $where!=1) $where=0;

The mentioned Exploit will work (again) only in those cases if you or your provider are not carrying about the security on the server and upon installing the software:

1) if register_globals of php.ini is set to ON (not recommended by PHP team)

2) if via installation of miniBB you have not renamed default table names as it is recommended by miniBB team.

miniBB

miniBB version 2.1a released - security fix

Your Reply

	miniBB Support Forums / News /
	miniBB version 2.1a released - security fix

	Paul Lead Developer	#1 \| Posted: 30 Oct 2007 02:56
		Recently it has been discovered that there is a little defect in miniBB's code which in theory allows to execute remote SQL. Currently this bug is fixed in 2.1a. The manual fix is: modify bb_func_search.php and locate the following code: if(isset($_GET['where'])) $where=$_GET['where']+0; else $where=0; after that code paste the line: if($where!=0 and $where!=1) $where=0; The mentioned Exploit will work (again) only in those cases if you or your provider are not carrying about the security on the server and upon installing the software: 1) if register_globals of php.ini is set to ON (not recommended by PHP team) 2) if via installation of miniBB you have not renamed default table names as it is recommended by miniBB team.


	Home Features Requirements Demo Download Showcase Gallery of Arts Compiler Premium Extensions Premium Support License Contact Us