<<< Date Index >>>     <<< Thread Index >>>

MyBB 1.10 New CrossSiteScripting ' member.php '



//-- MyBB 1.10 New CrossSiteScripting ' member.php ' --//

Webattack :-
        
/mybb/member.php?action=do_login&username=[usrname]&password=[pass]&url="><script>alert(1);</script>

//-- FixIT --//

        Open member.php
    GoTo Line :- 1030 ..


        if($mybb->input['url'])
                        {
                                redirect($mybb->input['url'], 
$lang->redirect_loggedin);
                        }


        Replace It With

                if($mybb->input['url'])
                        {
                redirect(htmlspecialchars($mybb->input['url']), 
$lang->redirect_loggedin);
                        }
//-- --//