XMB Forum Software
Not logged in [Login - Register]
Go To Bottom

Printable Version  
Author: Subject: [Security] BBCode Defect
miqrogroove
XMB 1.9.12 Lead Developer
*********


Avatar


Posts: 462
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 4-16-2021 at 03:59 PM
[Security] BBCode Defect


Bug Source: XMB, all versions

Symptoms: Unexpected output, Javascript compromise (XSS)

Security Impact: High

ID: CVE-2021-29399

Disclosed by: Igor Sak-Sakovskiy, Positive Technologies

Fixed By: XMB 1.9.12.03 and later are not affected. XMB 1.9.11.16 also includes this patch.

Discussion:

Users or spammers could manipulate the website to reveal private information or misdirect other users by injecting browser scripts. This defect in the BBCode feature was disclosed privately so that a patch could be developed before any details were published. BBCode is a highly restrictive substitute for HTML that normally protects the website. This patch changes the way BBCode is processed within XMB to further reinforce the blocking of all scripts.

Recommendations:
  • Servers running PHP 7 or PHP 8

  • Servers running PHP 5
    • If you installed XMB 1.9.11 - Files can be replaced or merged from XMB-1.9.11.16.zip
    • If you installed XMB 1.9.1 through 1.9.10 - Upgrade to version 1.9.11.16.
    • Please consider updating your server with a new version of PHP.

  • Upgrade Instructions

Diff Options:

As an extra alternative, diff files are available for the previous patch levels. These are smaller and easier to apply to customized websites.
Please note that these patch levels do not provide PHP 8 compatibility.

Patch Instructions

Attachment: xmb-1.9.12-bbcode.patch (7kB)
This file has been downloaded 412 times

Attachment: xmb-1.9.11-bbcode.patch (6kB)
This file has been downloaded 402 times


Patching Unsupported Versions:

Attempting to modify versions less than 1.9.11 is strongly discouraged because the BBCode functions and related features are different in each version. XMB 1.9.12.03 is the most secure version and the preferred solution.


View user's profile Visit user's homepage View All Posts By User

  Go To Top

Powered by XMB 1.9.12 (Debug Mode)
XMB Forum Software © 2001-2024 The XMB Group
[Queries: 16] [PHP: 37.6% - SQL: 62.4%]