MyBB 1.4.5 Cross-Site Scripting

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1051986 漏洞类型
发布时间 2009-05-05 更新时间 2009-05-05
漏洞平台 N/A CVSS评分 N/A
Advisory : Cross-Site Scripting vulnerability in MyBB

Application: MyBB
Vulnerable Versions: <= 1.4.5
Reported By: Jacques Copeau


MyBB is a forum package full of useful and to-the-point features, helping you
to make administrating your bulletin board as easy as possible. We highlighted
some of MyBB's best capabilities, to show you why you should choose MyBB over
any other discussion board.

MyBB suffers from failure to properly sanitize user input, resulting in
cross-site-scripting vulnerabilities.
By entering malicious scripts into the Avatar URL field in the user control
panel, attackers can steal login credentials, attack user pcs, manipulate
board settings and even to introduce malicious php scripts into the board."><script>alert('xss')</script> must be a valid link to an image file
meeting the board settings for avatars.

The XSS renders in all browsers and on various pages inside the myBB software.
We consider it to be particularly grave, as it renders on the ACP user overview
page; this can be easily exploited to construct a universal CSRF vulnerability
that introduces malicious php code into the script.

Fix Information
Update to MyBB 1.4.6

This vulnerability was discovered as part of a survey, which will be released
at a later date.

April 29th 2009: Contacted Vendor
April 30th 2009: Vendor reaction: "bogus"
April 30th 2009: Vendor corrects statement
May 3rd 2009: Patch released
May 3rd 2009: Full Disclosure