Cross Site Scripting vulnerability in miniBB 1.7 (latest) and earlier

2003-12-30T00:00:00
ID SECURITYVULNS:DOC:5580
Type securityvulns
Reporter Securityvulns
Modified 2003-12-30T00:00:00

Description

==================================================================== Advisory by Eye On Security Research Group - India www.eos-india.net ====================================================================

1...............................................................Product 2................................................................Vendor 3.........................................................Vulnerability 4.........................................................About Product 5..............................................Details of vulnerability 6...............................................................Exploit 7..............................................................Solution 8...............................................................Credits

1. Product

miniBB 1.7 (latest) and earlier

2. Vendor

www.minibb.net

3. Vulnerability

Cross Site Scripting vulnerability in bb_func_usernfo.php

4. About miniBB

(direct quote from www.minibb.net)

    miniBB ("minimalistic bulletin board") is flat linear (non-tree) version of highly

customizable bulletin board. It inherits most popular features from the bulletin boards the planet has at this moment, with one exception: it is very small by size (2-5 times smaller than usual boards), very fast and FREE. Mostly miniBB is designed for small and medium Internet-sites, but also can be used in large projects.

5. Details of vulnerability

    bb_func_usernfo.php contains code to take data from "minibb_users" table and display

information about a particular user requested. The code for displaying website of the any user in bb_func_usernfo.php is as follow :

if ($row[6]!='') $row[6]='<a href="'.$row[6].'" target="_blank">'.$row[6].'</a>'; else $row[6]='';

So an attacker can create a login in the forums and in the preferences, give his website name as http://blah.com"></a><script>somejavascriptcode</script>

Hence when others will try to view his profile, the inserted javascript code will be executed. The actual bug lies in the "bb_edit_prf.php" file where the website name inserted by a user in his preferences is not validated properly.

6. Exploit

    Create a user in the forums with your website name as

http://blah.com"></a><script>alert(document.cookie)</script> Now suppose your userid is 5, then just clicking http://[target]/index.php?action=userinfo&user=5 will execute the script.

7. Solution

    Check for the validation of the user data while editing his preferences in the

"bb_edit_prf.php" file and filter out strings like "<script>", quotes, "cookie" etc.

8. Credits

Chintan Trivedi - http://www.hackersprogrammers.com "Eye on Security Research Group - India " - www.eos-india.net