Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MiniBB 3.0.0 Cross Site Scripting / SQL Injection

🗓️ 12 Jul 2013 00:00:00Reported by Omar KurtType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

MiniBB 3.0.0 XSS and SQL Injection vulnerabilities

Code
`Information  
--------------------  
Name : XSS and SQL Injection Vulnerabilities in MiniBB  
Software : MiniBB 3.0.0 and possibly below.  
Vendor Homepage : http://www.minibb.com  
Vulnerability Type : Cross-Site Scripting and SQL Injection  
Severity : Critical  
Researcher : Omar Kurt  
Advisory Reference : NS-13-002  
  
Description  
--------------------  
miniBB® is a standalone, open source program for building your own Internet  
forum, and it's free to download. Comparing to the other forum software  
available on the market, miniBB just brings what it's created for: an easy,  
lite, and speedy quick forum.  
  
Details  
--------------------  
MiniBB is affected by XSS and SQL Injection vulnerabilities in version  
3.0.0.  
  
XSS: http://example.com/bb_admin.php (GET - params: forum_name,  
forum_group, forum_icon, whatus, forum_desc)  
SQL Injection:  
http://example.com/bb_admin.php?action=searchusers2&searchus=id&whatus='+(SELECT1  
FROM (SELECT SLEEP(25))A)+'  
You can read the full article about Cross-Site Scripting and SQL Injection  
vulnerabilities from here :  
Cross-site Scripting (XSS):  
https://www.mavitunasecurity.com/crosssite-scripting-xss/  
SQL Injection: https://www.mavitunasecurity.com/sql-injection/  
  
Solution  
--------------------  
-  
  
Advisory Timeline  
--------------------  
26/02/2013 - First contact  
15/03/2013 - Fix & New MiniBB version released  
11/07/2013 - Advisory released  
  
Credits  
--------------------  
It has been discovered on testing of Netsparker Web Application Security  
Scanner.  
  
References  
--------------------  
Vendor Url / Patch :  
http://www.minibb.com/forums/news-9/minibb-3.0.1-released-stable-fixed-secured-dedicated-6059.html  
MSL Advisory Link :  
https://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-minibb/  
Netsparker Advisories :  
https://www.mavitunasecurity.com/netsparker-advisories/  
  
About Netsparker  
--------------------  
Netsparker® can find and report security issues such as SQL Injection and  
Cross-site Scripting (XSS) in all web applications regardless of the  
platform and the technology they are built on. Netsparker's unique  
detection and exploitation techniques allows it to be dead accurate in  
reporting hence it's the first and the only False Positive Free web  
application security scanner.  
  
--   
Netsparker Advisories, <[email protected]>  
Homepage, http://www.mavitunasecurity.com/netsparker-advisories/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jul 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
minibbcross-site scriptingsql injectioninternet forumsecurity scanneropen source
18