Advisory : Cross-Site Scripting vulnerability in MyBB Application: MyBB Vulnerable Versions: <= 1.4.5 Reported By: Jacques Copeau Description *********** MyBB is a forum package full of useful and to-the-point features, helping you to make administrating your bulletin board as easy as possible. We highlighted some of MyBB's best capabilities, to show you why you should choose MyBB over any other discussion board. Details ******* MyBB suffers from failure to properly sanitize user input, resulting in cross-site-scripting vulnerabilities. By entering malicious scripts into the Avatar URL field in the user control panel, attackers can steal login credentials, attack user pcs, manipulate board settings and even to introduce malicious php scripts into the board. http://yourdomain.com/somefile.png?"><script>alert('xss')</script> http://yourdomain.com/somefile.png must be a valid link to an image file meeting the board settings for avatars. Discussion ******* The XSS renders in all browsers and on various pages inside the myBB software. We consider it to be particularly grave, as it renders on the ACP user overview page; this can be easily exploited to construct a universal CSRF vulnerability that introduces malicious php code into the script. Fix Information *************** Update to MyBB 1.4.6 Note *************** This vulnerability was discovered as part of a survey, which will be released at a later date. Timeline: *********** April 29th 2009: Contacted Vendor April 30th 2009: Vendor reaction: "bogus" April 30th 2009: Vendor corrects statement May 3rd 2009: Patch released May 3rd 2009: Full Disclosure References: *********** http://www.mybboard.net/