[VIM] MyBB search.php XSS: "sortordr" or "sorder" ? and vendor ACK
Steven M. Christey
coley at mitre.org
Tue Jan 31 12:33:35 EST 2006
[vendor seems to have posted acknowledgement for multiple issues; see
URLs below.]
The MyBB search.php XSS reported by imei here (CVE-2006-0470):
http://archives.neohapsis.com/archives/bugtraq/2006-01/0415.html
says:
cheknig of two input varibles "sortby" & "sortordr" in redirection
page of search pages
however, the demonstration exploit - which only shows an XSS
manipulation of sortby - has a parameter named "sorder" in it.
So is it "sortordr" or "sorder" ?
The vendor seems to acknolwedge this here:
http://community.mybboard.net/showthread.php?tid=6418
and the manual patch here is clear:
http://community.mybboard.net/attachment.php?aid=2181
since it includes:
$mybb->input['sortby'] = htmlspecialchars($mybb->input['sortby']);
$mybb->input['sortordr'] = htmlspecialchars($mybb->input['sortordr']);
So this must be, in fact, "sortordr".
A grep of all code from the manual patch shows nothing relevant to
"sorder".
The patch also appears to affect the usercp.php/notepad vector
(CVE-2006-0442)
and the definition of the $op variable in the search.php fix *might*
be relevant to CVE-2006-0406.
There also appears to be an SQL-injection related fix in global.php,
but I'm not sure where it came from - possibly a zero-day exploit.
- Steve
More information about the VIM
mailing list