XMB Forum Software

[Security] BBCode Defect

miqrogroove - 4-16-2021 at 03:59 PM

Bug Source: XMB, all versions

Symptoms: Unexpected output, Javascript compromise (XSS)

Security Impact: High

ID: CVE-2021-29399

Disclosed by: Igor Sak-Sakovskiy, Positive Technologies

Fixed By: XMB 1.9.12.03 and later are not affected. XMB 1.9.11.16 also includes this patch.

Discussion:

Users or spammers could manipulate the website to reveal private information or misdirect other users by injecting browser scripts. This defect in the BBCode feature was disclosed privately so that a patch could be developed before any details were published. BBCode is a highly restrictive substitute for HTML that normally protects the website. This patch changes the way BBCode is processed within XMB to further reinforce the blocking of all scripts.

Recommendations:

Diff Options:

As an extra alternative, diff files are available for the previous patch levels. These are smaller and easier to apply to customized websites.
Please note that these patch levels do not provide PHP 8 compatibility.

Patch Instructions

Attachment: xmb-1.9.12-bbcode.patch (7kB)
This file has been downloaded 16 times

Attachment: xmb-1.9.11-bbcode.patch (6kB)
This file has been downloaded 12 times


Patching Unsupported Versions:

Attempting to modify versions less than 1.9.11 is strongly discouraged because the BBCode functions and related features are different in each version. XMB 1.9.12.03 is the most secure version and the preferred solution.