TUCoPS :: Web BBS :: etc :: hack3683.htm

miniBB 1.7 (latest) and earlier XSS
Cross Site Scripting vulnerability in miniBB 1.7 (latest) and earlier





====================================================================

Advisory by Eye On Security Research Group - India www.eos-india.net 

====================================================================







1...............................................................Product

2................................................................Vendor

3.........................................................Vulnerability

4.........................................................About Product

5..............................................Details of vulnerability

6...............................................................Exploit

7..............................................................Solution

8...............................................................Credits









1. Product 

==========



miniBB 1.7 (latest) and earlier





2. Vendor

=========



www.minibb.net 





3. Vulnerability

================



Cross Site Scripting vulnerability in bb_func_usernfo.php





4. About miniBB

===============



(direct quote from www.minibb.net) 



	miniBB ("minimalistic bulletin board") is flat linear (non-tree) version of highly customizable bulletin board. It inherits most popular features from the bulletin boards the planet has at this moment, with one exception: it is very small by size (2-5 times smaller than usual boards), very fast and FREE. Mostly miniBB is designed for small and medium Internet-sites, but also can be used in large projects. 





5. Details of vulnerability

===========================



	bb_func_usernfo.php contains code to take data from "minibb_users" table and display information about a particular user requested. The code for displaying website of the any user in bb_func_usernfo.php is as follow :



if ($row[6]!='') $row[6]=''.$row[6].''; else $row[6]='';



So an attacker can create a login in the forums and in the preferences, give his website name as <script>somejavascriptcode</script>">http://blah.com"><script>somejavascriptcode</script> 



Hence when others will try to view his profile, the inserted javascript code will be executed. The actual bug lies in the "bb_edit_prf.php" file where the website name inserted by a user in his preferences is not validated properly.  



6. Exploit

==========



	Create a user in the forums with your website name as 

<script>alert(document.cookie)</script>">http://blah.com"><script>alert(document.cookie)</script> 

Now suppose your userid is 5, then just clicking http://[target]/index.php?action=userinfo&user=5 will execute the script. 



7. Solution

===========



	Check for the validation of the user data while editing his preferences in the "bb_edit_prf.php" file and filter out strings like "<script>", quotes, "cookie" etc.





8. Credits

==========



Chintan Trivedi - http://www.hackersprogrammers.com 

"Eye on Security Research Group - India " - www.eos-india.net 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH