# Exploit Title: User Social Networks MyBB Plugin 1.2 - Cross Site Scripting
# Google Dork: N/A
# Date: 05.09.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage - N/A
# Software Link: http://mods.mybb.com/view/user-social-networks
# Version: 1.2
# Tested on: PHP
Description:
This plugin allows you to add social networks, or related, in user
profiles. The information will be shown in a user profile and visible for
anyone who view the profile.
Proof of Concept
1. Login into your account.
2. Go to "Edit Profile" page at "/usercp.php?action=profile"
3. Update your Social Network ID with
"><script>alert(document.cookie)</script><"
4. The result can be seen in multiple places, including your profile page.
* The script will be executed whenever anyone view your profile.
** The result can also be seen in threads you involve IF the administrator
configure this plugin to allow user's social sites information to be
published in every post.
Solution:
Replace the content of "inc/plugins/usersocial.php" with this fix:
http://pastebin.com/T1WgcwDB
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
# Google Dork: N/A
# Date: 05.09.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage - N/A
# Software Link: http://mods.mybb.com/view/user-social-networks
# Version: 1.2
# Tested on: PHP
Description:
This plugin allows you to add social networks, or related, in user
profiles. The information will be shown in a user profile and visible for
anyone who view the profile.
Proof of Concept
1. Login into your account.
2. Go to "Edit Profile" page at "/usercp.php?action=profile"
3. Update your Social Network ID with
"><script>alert(document.cookie)</script><"
4. The result can be seen in multiple places, including your profile page.
* The script will be executed whenever anyone view your profile.
** The result can also be seen in threads you involve IF the administrator
configure this plugin to allow user's social sites information to be
published in every post.
Solution:
Replace the content of "inc/plugins/usersocial.php" with this fix:
http://pastebin.com/T1WgcwDB
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information