http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerabil ity.html
actually this works on most register_globals=on forums

http://retrogod.altervista.org/php_ip2long.htm
don't know really if sql injection is exploitable with 15 chars allowed, but maybe mysql can be crashed

regards, rgod

I've read the first article, and could confirm, that this vulnerability works. It's a big surprise that miniBB is listed amongst leader boards there, but it's the worst news I've got past months, that it's listed with example of this vulnerability available, which will let users think it's a miniBB problem, not Zend's :(((((

Probably, the best solution would be if we define empty string first for each vulnerable variable, then doing unset(). Like

if(isset($var)) { $var=''; unset($var); }

at least it would provide less risk to get necessary value. I know that include() will fail, if there is no at all, or empty argument is set.

The same for the second one... More related to PHP, but at least I know how to fix it. I would not consider is as very risky, since "Minibb limits the string to 15 chars, so you will have an unuseful twelve chars sql injection...)" - well yes, I don't know personally what kind of hack it could be for 12 chars, if even by default, we have a tables prefix "minibbtable_", which is already 12 chars long. I also doubt you can crash mySQL with 12 chars long request. At least, I don't know such kind of single command. It would be a very nice "feature" of mySQL, if it would exist ;-)

Thank you anyway for providing this information. We will work on the updates in the very near future and release more secured version.

My host just shut down my minibb site becuase the vulnerability was exploited this morning ... I came here looking for an answer. Paul -- you just installed the most recent update for me this morning .... My host is NOT happy ... what can I do?

Ok, I've got some customer replies, which are in troubles, because lame providers are shutting down their forums instead of upgrading PHP version. I am paying everybody's attention: the first issue provided, is not a bug of miniBB, it's a bug of PHP/Zend application. It's a very serious bug, because if there is some way when unset() function may not work, there is no way to use alternative function or solution.

The second issue I would like to pay your attention to, is that this vulnerability will work only with register_globals set to ON.

Below is hot fix of this trouble, which should work for your miniBB installation, even if you have this vulnerability available. This is the only available solution currently. We are working on miniBB 2.0.2 these days, but still can not release the full package with fixed patch, because it will contain a lot of changes, which affect miniBB core files in general. So, enjoy the version 2.0.1 currently.

miniBB users with versions older than 2.0 can not simply overwrite the patched files, because their versions will not work with other updated files.

You don't need to apply the patches below, if your forums are not vulnerable. You can check this, running URL like

[your_forums]/index.php?includeHeader=http://www.google.com/?&-2690019 46=1&-834358190=1

If you will see a "Google" site above your forums, when executing this, your forums are vulnerable, and you need to apply the patch:

1) Edit index.php, and at the top of the script, where it says:

for($i=0;$i<sizeof($unset);$i++) if(isset(${$unset[$i]})) unset(${$unset[$i]});

it should be like that

for($i=0;$i<sizeof($unset);$i++) if(isset(${$unset[$i]})) { ${$unset[$i]}=''; unset(${$unset[$i]}); }

At the bottom of the same script, where it says

if(isset($includeFooter)) include($includeFooter);

it should be

if(isset($includeFooter) and $includeFooter!='') include($includeFooter);

2) Edit bb_functions.php, locate load_header() function, and in the place where it says

if(isset($GLOBALS['includeHeader'])) { include($GLOBALS['includeHeader']); return; }

it should be

if(isset($GLOBALS['includeHeader']) and $GLOBALS['includeHeader']!='') { include($GLOBALS['includeHeader']); return; }

3) Edit bb_admin.php (administration file) and do almost the same as for index.php:

at the top of the script

for($i=0;$i<sizeof($unset);$i++) if(isset(${$unset[$i]})) unset(${$unset[$i]});

should be

for($i=0;$i<sizeof($unset);$i++) if(isset(${$unset[$i]})) { ${$unset[$i]}=''; unset(${$unset[$i]}); }

at the bottom of the script it lists

if(isset($includeFooter)) include($includeFooter);

but should be

if(isset($includeFooter) and $includeFooter!='') include($includeFooter);

Everybody is welcome to give additional questions related to the problem.

jretzer
If they are not happy with the solution which WORKS, what else should we do?

Oh well... Maybe let your host upgrade to the latest stable PHP version in 4.x or 5.x series. Let them show they are professionals. It's not a bug of miniBB itself.

Paul ... did you just upgrade my files with the fix? I thought that you may have, but I went back and deactivated the site again just in case it was some sort of hacker trick ... if you did fix it, many thanks ... you guys are teriffic ...

Yes, I've updated the files, and now you have this patch enabled. See my email. You can rename index.php back.

Thanks!

Just to remind everyone.. The best fix is not to upgrade your miniBB installation, but to upgrade PHP libraries on your server ASAP, cause this is a PHP flaw and lots of other scripts on your server may be affected!

I followd the instructions for the hot fix and I think it's working well now.