Bugtraq mailing list archives
MyBB 1.10 New CrossSiteScripting ' member.php '
From: o.y.6 () hotmail com
Date: 12 Apr 2006 19:29:54 -0000
//-- MyBB 1.10 New CrossSiteScripting ' member.php ' --// Webattack :- /mybb/member.php?action=do_login&username=[usrname]&password=[pass]&url="><script>alert(1);</script> //-- FixIT --// Open member.php GoTo Line :- 1030 .. if($mybb->input['url']) { redirect($mybb->input['url'], $lang->redirect_loggedin); } Replace It With if($mybb->input['url']) { redirect(htmlspecialchars($mybb->input['url']), $lang->redirect_loggedin); } //-- --//
Current thread:
- MyBB 1.10 New CrossSiteScripting ' member.php ' o . y . 6 (Apr 13)