23 lines
No EOL
662 B
Text
23 lines
No EOL
662 B
Text
# Exploit Title: MyBB Bans List - Cross Site Scripting
|
|
# Date: 7/25/2018
|
|
# Author: 0xB9
|
|
# Twitter: @0xB9Sec
|
|
# Contact: 0xB9[at]pm.me
|
|
# Software Link: https://community.mybb.com/mods.php?action=view&pid=423
|
|
# Version: 1.0
|
|
# Tested on: Ubuntu 18.04
|
|
# CVE: CVE-2018-14724
|
|
|
|
|
|
1. Description:
|
|
Adds bans.php page, showing a list of banned users and the reason of ban.
|
|
|
|
Any forum user that's a mod can ban users and input a payload into the ban reason which gets executed on the bans.php page.
|
|
|
|
|
|
2. Proof of Concept:
|
|
|
|
- Have a mod account
|
|
- Ban a user
|
|
- Input the following for reason of the ban <script>alert('XSS')</script>
|
|
- Anyone to view page will execute payload |