[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cross Site Scripting vulnerability in miniBB 1.7 (latest) and earlier

Advisory by Eye On Security Research Group - India www.eos-india.net 

4.........................................................About Product
5..............................................Details of vulnerability

1. Product 

miniBB 1.7 (latest) and earlier

2. Vendor


3. Vulnerability

Cross Site Scripting vulnerability in bb_func_usernfo.php

4. About miniBB

(direct quote from www.minibb.net)

        miniBB ("minimalistic bulletin board") is flat linear (non-tree) 
version of highly customizable bulletin board. It inherits most popular 
features from the bulletin boards the planet has at this moment, with one 
exception: it is very small by size (2-5 times smaller than usual boards), very 
fast and FREE. Mostly miniBB is designed for small and medium Internet-sites, 
but also can be used in large projects. 

5. Details of vulnerability

        bb_func_usernfo.php contains code to take data from "minibb_users" 
table and display information about a particular user requested. The code for 
displaying website of the any user in bb_func_usernfo.php is as follow :

if ($row[6]!='') $row[6]='<a href="'.$row[6].'" 
target="_blank">'.$row[6].'</a>'; else $row[6]='';

So an attacker can create a login in the forums and in the preferences, give 
his website name as 

Hence when others will try to view his profile, the inserted javascript code 
will be executed. The actual bug lies in the "bb_edit_prf.php" file where the 
website name inserted by a user in his preferences is not validated properly.  

6. Exploit

        Create a user in the forums with your website name as 
Now suppose your userid is 5, then just clicking 
http://[target]/index.php?action=userinfo&user=5 will execute the script. 

7. Solution

        Check for the validation of the user data while editing his preferences 
in the "bb_edit_prf.php" file and filter out strings like "&lt;script&gt;", 
quotes, "cookie" etc.

8. Credits

Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - www.eos-india.net