lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060124185012.10323.qmail@securityfocus.com>
Date: 24 Jan 2006 18:50:12 -0000
From: roozbeh_afrasiabi@...oo.com
To: bugtraq@...urityfocus.com
Subject: [KAPDA::#25] - MyBB 1.x Cross_Site_Scripting


[KAPDA::#25] - MyBB 1.x Cross_Site_Scripting

KAPDA New advisory

Vulnerable products : MYBB 1.x
Vendor:  www.mybboard.net/
Risk: medium 
Vulnerabilities: Cross_Site_Scripting
Discoverd by Roozbeh Afrasiabi
www.persiax.com

Date :
--------------------
Found : Jan 21 2006
Vendor Contacted : N/A
Release Date : N/A

About :
--------------------
MyBB is a powerful, efficient and free forum package developed in PHP and MySQL.MyBB has been designed with the end users in mind, you and your subscribers. Full control over your discussion  system is p resented right  at the tip  of your  fingers, from multiple  styles and  themes to the ultimate  customisation of your forums using the template system.



Vulnerability:
--------------------
Cross_Site_Scripting (XSS,CSS):

MYBB is affected by a  cross-site scripting  vulnerability. This issue is due to the failure of the application to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed  in the browser of an unsuspecting user when followed. 


Detail and PoC :
--------------------

1)

The application does not validate the "notepad" variable upon submission to the usercp.php script via the POST method.The personal pad would save this data which would later be displayed to the user(i.e on visiting the persoanal pad page).  

h**p://[target]/usercp.php?action=notepad
notepad=</textarea><script>alert(document.cookie)</script>


2)

This flaw exists because the application does not validate the "signature" variable upon submission to the usercp.php script via the POST method.

h**p://[target]/usercp.php?action=editsig
signature=</textarea><script>alert(document.cookie)</script>



Solution :
--------------------
N/A


Original Advisory :
--------------------
http://kapda.ir/advisory-241.html


Credit :
--------------------
Discoverd by Roozbeh Afrasiabi
roozbeh_afrasiabi[at]yahoo.com
black_death[at]kapda.ir
www.persiax.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ