MyBB 1.2 usercp2.php [ $url ] CrossSiteScripting ( XSS )

[o.y.6@xxxxxxxxxxx, ""@securityfocus.com, D3vil-0x1@xxxxxxxxxxxxxxxxx]

Invalid characters removed from From: o.y.6@xxxxxxxxxxx, |@securityfocus.com,

## MyBB 1.02 usercp2.php XSS
##------------------------------##
## Devil-00 D3vil-0x1 - Attacking MyBB :)##
##                              ##
## devil-00@xxxxxx              ##
##                              ##
##-----------------------------###
##
## File :- usercp2.php
## Var  :- $url
## Line's :-
##              -> 39
##              -> 58
##              -> 84
##              -> 108
##              -> 130
##              -> 149
##              -> 164
##              -> 178
##              -> 192
###################################
## 
## Exploit :-
##-------------------------------------------------------------##
[  Go to any topic .. then go to the end of the page            ]
[  you will see " Add Thread to Favorites "                     ]
[  open the firefox with Live HTTP Headers                      ]
[  and click it .. go to Headers Edit                           ]
[  edit Referer :- "><script>alert(document.cookie);</script>   ]
##-------------------------------------------------------------##
##
## Gr33tz :- www.securitygurus.net
                
                BlackRay <- my new homei
                HACKERS PAL
                Valm0nt
                Abducter
                j7a
                abdalmaged
                Xion
                
                And Others [ S4a Members with SG Members ]
** chow **