BugTraq
Back to list
|
Post reply
MyBB 1.10 New CrossSiteScripting ' member.php '
Apr 12 2006 07:29PM
o y 6 hotmail com
//-- MyBB 1.10 New CrossSiteScripting ' member.php ' --//
Webattack :-
/mybb/member.php?action=do_login&username=[usrname]&password=[pass]&url=
"><script>alert(1);</script>
//-- FixIT --//
Open member.php
GoTo Line :- 1030 ..
if($mybb->input['url'])
{
redirect($mybb->input['url'], $lang->redirect_loggedin);
}
Replace It With
if($mybb->input['url'])
{
redirect(htmlspecialchars($mybb->input['url']), $lang->redirect_loggedin);
}
//-- --//
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Webattack :-
/mybb/member.php?action=do_login&username=[usrname]&password=[pass]&url=
"><script>alert(1);</script>
//-- FixIT --//
Open member.php
GoTo Line :- 1030 ..
if($mybb->input['url'])
{
redirect($mybb->input['url'], $lang->redirect_loggedin);
}
Replace It With
if($mybb->input['url'])
{
redirect(htmlspecialchars($mybb->input['url']), $lang->redirect_loggedin);
}
//-- --//
[ reply ]