UseBB 1.0.7 “vulnerability”

Yesterday (July 20th, 2007), a post was made on the popular Bugtraq mailing list about a so-called vulnerability in UseBB 1.0.7. This vulnerability includes an insecure value of PHP's PHP_SELF variable being used in forms in three old upgrade scripts that can be exploited for an "XSS attack". However, unlike the report states, this vulnerability should be rated far from "dangerous".

The vulnerability is found in upgrade scripts which were used to upgrade a few old versions of UseBB, being 0.2.3, 0.3 and 0.4. The latter one was released almost 2.5 years ago. Second, this vulnerability poses zero security threats to an existing UseBB set-up. The only possible abuse of this vulnerability is through receiving a malformed URL (containing possibly dangerous JavaScript) to one of these update scripts. Chances anyone gets into this situation are very rare, unless you are still updating an unsupported 2.5 years old UseBB version and are receiving "help" from an abusive person.

As a resolution to this vulnerability, these three upgrade scripts have been removed from the source tree in CVS, since they were obviously no longer supported and possibly even not working anymore. If you have the install/ directory present in a publicly available forum, it is advised to remove it in any case, although the scripts should only cause SQL errors and perform no changes when used with an existing set-up.

I am not very satisfied by the way this vulnerability was made public. Next to it being rated "dangerous" without a valid reason, I have not been contacted about this vulnerability in advance to offer a resolution before the report was made public. I am very disappointed in the reporter (who calls himself "S4mi") and hope he/she understands the mistakes that were made.

Since this is not the first time we are plagued by partially false reports, we will start publishing our own security reports when necessary as of the release of UseBB 2.0.0. (0 comments) Tags: comments, release