Home / os / winmobile

MiniBB 3.1.1 Cross Site Scripting

Posted on 07 November 2015

Security Advisory - Curesec Research Team 1. Introduction Affected Product: MiniBB 3.1.1 Fixed in: 3.2 Fixed Version Link: http://www.minibb.com/download.php?file=minibb Vendor Contact: security@minibb.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is an XSS vulnerability in MiniBB 3.1.1. With this, it is possible to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers. 3. Proof of Concept http://localhost/minibb/index.php?action=editmsg&topic=2&forum=1&post=3&page=1&anchor="><script>alert(1)</script> 4. Solution To mitigate this issue please upgrade at least to version 3.2: http://www.minibb.com/download.php?file=minibb Please note that a newer version might already be available. 5. Report Timeline 09/01/2015 Informed Vendor about Issue 09/02/2015 Vendor announces release of fix 10/01/2015 No fix released yet, set new public disclosure date 10/01/2015 Vendor releases fix 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/MiniBB-311-XSS-63.html

 

TOP