Multiple security vulnerabilities in MyBB

Release date: 2011-11-25
Updated on: 2011-11-28

Affected Systems:
MyBB 1.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 50816

MyBB is a popular Web forum program.

MyBB has multiple security vulnerabilities, including cross-site scripting, cross-site request forgery, and other vulnerabilities. Attackers can exploit these vulnerabilities to execute arbitrary scripts in the browsers of affected sites, attackers can steal cookie authentication creden。, expose or modify sensitive information, or perform illegal operations.

1) there is an error in the unresolved profile picture in the friend list;

2) Input passed through the user name is not properly filtered before being returned to the user, resulting in arbitrary HTML and script code execution in the user's browser of the affected site;

3) applications allow users to perform certain operations through HTTP requests without verifying these requests. You can change the language settings when you browse a special webpage.

<* Source: labrocca
Will G
Nathan Malcolm

Link: http://dev.mybb.com/issues/1729
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

MyBB
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.mybboard.com/