MyBB 1.6.4 Username Style Persistent XSS Vulnerability


:————————————————————————————————————————-:
: # Exploit Title : MyBB 1.6.4 Username Style Persistent XSS Vulnerability
: # Date : 22 August 2011
: # Author : X-Cisadane
: # Software Link : http://www.mybb.com/downloads
: # Version : 1.6.4
: # Category : Web Applications
: # Vulnerability : Persistent XSS
: # Tested On : Chromium Web Browser v13 (Linux Ubuntu))
: # Dorks : Powered By MyBB, © 2002-2011 MyBB Group
: # Greetz to : X-Code, Muslim Hackers, Depok Cyber, Hacker Cisadane, Borneo Crew, Dunia Santai, Jiban Crew, Winda Utari
:————————————————————————————————————————-:
# Description : By creating or editing Username Style with this XSS code, can cause a Persistent XSS Defacing on the Main Page/Portal Page.

# XSS Code.
{username}

# How To Start XSS?
[1] Login As An Administrator.
[2] Go To http://your MyBB Forum/admin/index.php?module=user-groups&action=edit&gid=4
Default gid (Group Id) = 1 (Guests), 2 (Registered), 3 (Super Moderators), 4 (Administrators), etc

[3] Edit User Group, Insert XSS Code In The Username Style.

[4] Save User Group.
[5] Go To Your Index Page Or Portal Page Or Go To http://your MyBB Forum/admin/index.php?module=user

Voila!

,

  1. No comments yet.
(will not be published)