MyBB User Profile Skype ID plug-in "skype" parameter HTML Injection Vulnerability

Release date:
Updated on:

Affected Systems:
MyBB User Profile Skype ID 1.x
MyBB User Profile Skype ID 1.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56967

The User Profile Skype ID plug-in allows users to place their Skype IDs in their configuration files.

User Profile Skype ID 1.0 and other versions have not verified usercp. the validity of the "skype" parameter in php can cause the HTML injection vulnerability. Remote attackers can execute arbitrary script code in the user's browser.

<* Source: limb0

Link: http://secunia.com/advisories/51612/
Http://www.exploit-db.com/exploits/23425/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Proof
Inject: https://imageshack.us/photo/my-images/22/screenshotfrom201212141.png/
Result: https://imageshack.us/photo/my-images/41/screenshotfrom201212141.png/
+ ------------------------------------------------------------- +

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Disable the User Profile Skype ID plug-in

Vendor patch:

MyBB
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://mods.mybb.com/view/user-profile-skype-id