CVE-2008-2024

miniBB < 2.2 - Cross-Site Scripting via glang[] Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-2024. PoCs published by girex.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in miniBB 2.2, including Full Path Disclosure, Cross-Site Scripting (XSS), and Remote SQL Injection. The SQL Injection PoC retrieves admin credentials or sensitive files via UNION-based attacks, requiring register_globals to be enabled.

Description

Cross-site scripting (XSS) vulnerability in index.php in miniBB 2.2, and possibly earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the glang[] parameter in a registernew action.

Exploits (1)

exploitdb WORKING POC VERIFIED

by girex · textwebappsphp

https://www.exploit-db.com/exploits/5494

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in miniBB 2.2, including Full Path Disclosure, Cross-Site Scripting (XSS), and Remote SQL Injection. The SQL Injection PoC retrieves admin credentials or sensitive files via UNION-based attacks, requiring register_globals to be enabled.

Classification

Working Poc 90%

Attack Type

Sqli | Xss | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: miniBB 2.2 (and prior versions)

No auth needed

Prerequisites: register_globals = On · target running miniBB 2.2 or prior

MITRE ATT&CK