Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: “Cross-Site Scripting” vul nerability in MyBB 1.4.5
From: Andrew Farmer <andfarm () gmail com>
Date: Sun, 3 May 2009 14:19:39 -0700

On 03 May 09, at 05:01, Jacques Copeau wrote:
Advisory : “Cross-Site Scripting” vulnerability in MyBB
The XSS renders in all browsers and on various pages inside the myBB  
We consider it to be particularly grave, as it renders on the ACP  
user overview
page; this can be easily exploited to construct a universal CSRF  
that introduces malicious php code into the script.

So, er, is this vulnerability XSS, CSRF, or RCE? Pick one and stick  
with it.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]