+1 vote
asked in CMS Patching by (130 points)

# Exploit Title: MyBB Like Plugin 3.0.0 - Cross-Site Scripting

# Date: 2018-08-01

# Author: 0xB9

# Twitter: @0xB9Sec

# Software Link: https://community.mybb.com/mods.php?action=view&pid=360

# Version: 3.0.0

# Tested on: Ubuntu 18.04

# CVE: N/A

  

1 Answer

0 votes
answered by (550 points)

The file

/inc/plugins/thankyoulike.php

Does not sanitize the output before showing the post and subject data to the user in their profile.

Add the following lines at line # 2074 (create two new lines if there is content on line 2074);

     $post['subject'] = htmlspecialchars_uni($post['subject']);
     $thread['subject'] = htmlspecialchars_uni($thread['subject']); 

When the page outputs the profile, any HTML will be encoded.

Alternatively update your MyBB Like Plugin to 3.1.0 or later from the MyBB Community hub.

3.1.0 changelog includes the Sanitization in the thread and subject fields as above:

Changelog:

*[FIX] - Sanitize post and thread names
*[FIX] - Trophy post - content wordwrap
*[FIX] - broken URL in ACP plugin setting - PHP date/time
*[FIX] - Collapse/expand buttons are not loaded

Sploitpatch - FREE Web Application Patches, Just Ask!
...