Exploits / Vulnerability Discovered : 2018-09-12 |
Type : webapps |
Platform : php
This exploit / vulnerability Mybb 1.8.17 crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
# 1. Description:
# On the forum RSS Syndication page you can generate a URL for example...
# http://localhost/syndication.php?fid=&type=atom1.0&limit=15, the thread titles on
# those generated links aren't sanitized.
# 2. Proof of Concept:
- Make or find a thread of yours on the RSS feed
- Use this payload as the thread title <a href="//google.com">Cool Thread Title</a>
- View RSS feed with your thread again but with the generated URL and click on your thread
- When the thread is clicked you will be redirected to google.com