Release date:
Updated on:
Affected Systems:
MyBB Profile Xbox Live ID 1.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56978
The Profile Xbox Live ID plug-in displays the Xbox Live ID on your Profile.
Profile Xbox Live ID 1.0 and other versions do not correctly verify usercp. the validity of the "xli" parameter in php can be exploited to insert and execute arbitrary HTML, SQL, and script code in the user's browser, resulting in script plug-in and SQL injection attacks.
Vulnerability code:
Function profilexli_update ($ xli)
{
Global $ mybb;
If (isset ($ mybb-> input ['xlil'])
{
$ Xli-> user_update_data ['xlil'] = $ mybb-> input ['xlil'];
}
}
<* Source: limb0
Link: http://packetstormsecurity.org/files/118927/MyBB-Xbox-Live-ID-Cross-Site-Scripting.html
Http://packetstormsecurity.org/files/118927/MyBB-Xbox-Live-ID-Cross-Site-Scripting.html
Http://secunia.com/advisories/51620/
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
+ ------------------------------------------------------------ +
Stored XSS-Instructions
1. Install & Activate plugin
(Maybe you will get an error: About a "/" on line 31.
Open your plugin file and delete the slash. The coder didn't notice that)
2. Go to UserCP> Edit Profile> Xbox Live ID
3. Inject your string (xss) ex. "> <script> alert (1) </script>
4. Visit your profile and voila
Proof
Inject: http://postimage.org/image/hpxk33od3/
Result: postimage.org/image/6vzb5sqgd/
+ ------------------------------------------------------------- +
Suggestion:
--------------------------------------------------------------------------------
Temporary solution:
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
* Disable the Profile Xbox Live ID plug-in
Vendor patch:
MyBB
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://mods.mybb.com/view/profile-xbox-live-id