lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 3 May 2009 13:59:59 +0200
From: Jacques Copeau <jacquescopeau@...glemail.com>
To: bugtraq@...urityfocus.com
Subject: “Cross-Site Scripting” vulnerability in MyBB 1.4.5

Advisory : “Cross-Site Scripting” vulnerability in MyBB

Application: MyBB
Vulnerable Versions: <= 1.4.5
Reported By: Jacques Copeau

Description
***********

MyBB is a forum package full of useful and to-the-point features, helping you
to make administrating your bulletin board as easy as possible. We highlighted
some of MyBB's best capabilities, to show you why you should choose MyBB over
any other discussion board.

Details
*******
MyBB suffers from failure to properly sanitize user input, resulting in
cross-site-scripting vulnerabilities.
By entering malicious scripts into the Avatar URL field in the user control
panel, attackers can steal login credentials, attack user pcs, manipulate
board settings and even to introduce malicious php scripts into the board.
http://yourdomain.com/somefile.png?"><script>alert('xss')</script>

http://yourdomain.com/somefile.png must be a valid link to an image file
meeting the board settings for avatars.

Discussion
*******
The XSS renders in all browsers and on various pages inside the myBB software.
We consider it to be particularly grave, as it renders on the ACP user overview
page; this can be easily exploited to construct a universal CSRF vulnerability
that introduces malicious php code into the script.

Fix Information
***************
Update to MyBB 1.4.6

Note
***************
This vulnerability was discovered as part of a survey, which will be released
at a later date.

Timeline:
***********
April 29th 2009: Contacted Vendor
April 30th 2009: Vendor reaction: "bogus"
April 30th 2009: Vendor corrects statement
May 3rd 2009: Patch released
May 3rd 2009: Full Disclosure

References:
***********

http://www.mybboard.net/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ