Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MyBB 1.10 New CrossSiteScripting ' member.php '

From: o.y.6 () hotmail com
Date: 12 Apr 2006 19:29:54 -0000
//-- MyBB 1.10 New CrossSiteScripting ' member.php ' --//

Webattack :-
        /mybb/member.php?action=do_login&username=[usrname]&password=[pass]&url="><script>alert(1);</script>

//-- FixIT --//

        Open member.php
    GoTo Line :- 1030 ..


        if($mybb->input['url'])
                        {
                                redirect($mybb->input['url'], $lang->redirect_loggedin);
                        }


        Replace It With

                if($mybb->input['url'])
                        {
                redirect(htmlspecialchars($mybb->input['url']), $lang->redirect_loggedin);
                        }
//-- --//
Previous By Date Next
Previous By Thread Next

Current thread: