Mybb Cms (create forum Page) Cross-Site Script Vulnerability

2016-04-13 13:25:08
Posted by: irist.ir

#################################

#
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@
#

#####################################

#####################################

# Iranian Exploit DataBase

# Mybb Cms (create forum Page) Cross-Site Script Vulnerability

# Vulnerability : xss Vulnerability

# Vulnerability on : (create forum Page And Edit Forum)

# Version : 1.6* and 1.8.*

# tested : 1.6.18 and 1.8.7

# Vendor site : http://mybb.com/

# pic : http://kkli.ir/K9dwT

# Author : IeDb.Ir

# Site : Www.IeDb.Ir - Www.IeDb.Ir/acc - xssed.Ir - kkli.ir

# Vulnerability attack information site : http://xssed.Ir/

# Archive Exploit = http://kkli.ir/tZa6l

#####################################

# Bug :

http://www.site.com/mybb/admin/index.php?module=forum-management

-----------------------------


# Description :

Enter your admin user the first control panel.
Then go to the forums and posts.
Then click on the Add Forum.
Create your community and forum.
Then into that section, and then click on Edit Profile.

pic : http://kkli.ir/NYHS7

After getting into the community editing and form,
At the Forum, as well as forums, you can put your xss code.

pic : http://up.iedb.ir/uploads/mybb-bug3.jpg

Then, an association is made we store.
Then we just go logged in.
As you can see, you xss code is executed.

pic : http://kkli.ir/1pDlv

Your use of this Bug and security problems, can a small program, you can use cookies to users who come to this forum, to take theft.

The bug in all versions is responsive and is a medium security problem.

--------------

Exploit is private.
The exploit only to send the news and is also in the process of this vulnerability.
To request exploits, stay tuned with us:

http://iedb.ir

http://iedb.ir/acc/

http://irist.ir

http://xssed.ir

email : [email protected]

tnks to : All Member In Iedb.ir and Iedb.ir/acc and And all the other friends that are associated with our team.

#####################################

# Archive Exploit = http://iedb.ir/exploits-5031.html

#####################################

Fixes

No fixes

In order to submit a new fix you need to be registered.