Cross Site Scripting vulnerability in miniBB 1.7 (latest) and earlier
====================================================================
Advisory by Eye On Security Research Group - India www.eos-india.net
====================================================================
1...............................................................Product
2................................................................Vendor
3.........................................................Vulnerability
4.........................................................About Product
5..............................................Details of vulnerability
6...............................................................Exploit
7..............................................................Solution
8...............................................................Credits
1. Product
==========
miniBB 1.7 (latest) and earlier
2. Vendor
=========
www.minibb.net
3. Vulnerability
================
Cross Site Scripting vulnerability in bb_func_usernfo.php
4. About miniBB
===============
(direct quote from www.minibb.net)
miniBB ("minimalistic bulletin board") is flat linear (non-tree)
version of highly customizable bulletin board. It inherits most popular
features from the bulletin boards the planet has at this moment, with one
exception: it is very small by size (2-5 times smaller than usual boards), very
fast and FREE. Mostly miniBB is designed for small and medium Internet-sites,
but also can be used in large projects.
5. Details of vulnerability
===========================
bb_func_usernfo.php contains code to take data from "minibb_users"
table and display information about a particular user requested. The code for
displaying website of the any user in bb_func_usernfo.php is as follow :
if ($row[6]!='') $row[6]='<a href="'.$row[6].'"
target="_blank">'.$row[6].'</a>'; else $row[6]='';
So an attacker can create a login in the forums and in the preferences, give
his website name as
http://blah.com"></a><script>somejavascriptcode</script>
Hence when others will try to view his profile, the inserted javascript code
will be executed. The actual bug lies in the "bb_edit_prf.php" file where the
website name inserted by a user in his preferences is not validated properly.
6. Exploit
==========
Create a user in the forums with your website name as
http://blah.com"></a><script>alert(document.cookie)</script>
Now suppose your userid is 5, then just clicking
http://[target]/index.php?action=userinfo&user=5 will execute the script.
7. Solution
===========
Check for the validation of the user data while editing his preferences
in the "bb_edit_prf.php" file and filter out strings like "<script>",
quotes, "cookie" etc.
8. Credits
==========
Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - www.eos-india.net