Bugtraq mailing list archives
MyBB 1.2 usercp2.php [ $url ] CrossSiteScripting ( XSS )
From: o.y.6 () hotmail com, ""@securityfocus.com, D3vil-0x1 () securityfocus com
Date: 29 Jan 2006 20:02:42 -0000
Invalid characters removed from From: o.y.6 () hotmail com, |@securityfocus.com, ## MyBB 1.02 usercp2.php XSS ##------------------------------## ## Devil-00 D3vil-0x1 - Attacking MyBB :)## ## ## ## devil-00 () s4a cc ## ## ## ##-----------------------------### ## ## File :- usercp2.php ## Var :- $url ## Line's :- ## -> 39 ## -> 58 ## -> 84 ## -> 108 ## -> 130 ## -> 149 ## -> 164 ## -> 178 ## -> 192 ################################### ## ## Exploit :- ##-------------------------------------------------------------## [ Go to any topic .. then go to the end of the page ] [ you will see " Add Thread to Favorites " ] [ open the firefox with Live HTTP Headers ] [ and click it .. go to Headers Edit ] [ edit Referer :- "><script>alert(document.cookie);</script> ] ##-------------------------------------------------------------## ## ## Gr33tz :- www.securitygurus.net BlackRay <- my new homei HACKERS PAL Valm0nt Abducter j7a abdalmaged Xion And Others [ S4a Members with SG Members ] ** chow **
Current thread:
- MyBB 1.2 usercp2.php [ $url ] CrossSiteScripting ( XSS ) (Jan 30)