MyBB 1.4.5 Cross Site Scripting

2009-05-05T00:00:00
ID PACKETSTORM:77239
Type packetstorm
Reporter Jacques Copeau
Modified 2009-05-05T00:00:00

Description

                                        
                                            `Advisory : “Cross-Site Scripting” vulnerability in MyBB  
  
Application: MyBB  
Vulnerable Versions: <= 1.4.5  
Reported By: Jacques Copeau  
  
Description  
***********  
  
MyBB is a forum package full of useful and to-the-point features, helping you  
to make administrating your bulletin board as easy as possible. We highlighted  
some of MyBB's best capabilities, to show you why you should choose MyBB over  
any other discussion board.  
  
Details  
*******  
MyBB suffers from failure to properly sanitize user input, resulting in  
cross-site-scripting vulnerabilities.  
By entering malicious scripts into the Avatar URL field in the user control  
panel, attackers can steal login credentials, attack user pcs, manipulate  
board settings and even to introduce malicious php scripts into the board.  
http://yourdomain.com/somefile.png?"><script>alert('xss')</script>  
  
http://yourdomain.com/somefile.png must be a valid link to an image file  
meeting the board settings for avatars.  
  
Discussion  
*******  
The XSS renders in all browsers and on various pages inside the myBB software.  
We consider it to be particularly grave, as it renders on the ACP user overview  
page; this can be easily exploited to construct a universal CSRF vulnerability  
that introduces malicious php code into the script.  
  
Fix Information  
***************  
Update to MyBB 1.4.6  
  
Note  
***************  
This vulnerability was discovered as part of a survey, which will be released  
at a later date.  
  
Timeline:  
***********  
April 29th 2009: Contacted Vendor  
April 30th 2009: Vendor reaction: "bogus"  
April 30th 2009: Vendor corrects statement  
May 3rd 2009: Patch released  
May 3rd 2009: Full Disclosure  
  
References:  
***********  
  
http://www.mybboard.net/  
`