=0D
Vulnerable products : MYBB 1.x=0D
Vendor: http://www.mybboard.net=0D 
Risk: Low=0D
Vulnerabilities: MYBB XSS and Dir Traversal in usercp.php =0D
=0D
Date :=0D
--------------------=0D
Found : Feb 22 2006=0D
Vendor Contacted : N/A=0D
Release Date : N/A=0D
=0D
About :=0D
--------------------=0D
MyBB is a powerful, efficient and free forum package developed in PHP and MySQL.MyBB has been designed with the end users in mind, you and your subscribers. Full control over your discussion system is p resented right at the tip of your fingers, from multiple styles and themes to the ultimate customisation of your forums using the template system.=0D
=0D
=0D
=0D
Vulnerability:=0D
--------------------=0D
Cross_Site_Scripting (XSS,CSS):=0D
=0D
MYBB is affected by a cross-site scripting vulnerability. This issue is due to the failure of the application to properly sanitize user-=0D
supplied input.=0D
=0D
As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed=0D
in the browser of an unsuspecting user when followed.=0D
=0D
=0D
Detail and PoC :=0D
--------------------=0D
=0D
Cross_Site_Scripting:=0D
=0D
The application does not validate the "gallery" variable upon submission to the usercp.php script. =0D
=0D
POC:=0D
/usercp.php?action=avatar&gallery=%22%3E%3Cscript%3Ealert(1)%3C/script%3E=0D
=0D
=0D
=0D
Dir Traversal For images:=0D
=0D
POC:=0D
/usercp.php?action=avatar&gallery=../../uploads=0D
usercp.php?action=do_avatar&gallery=../../../../../../..dir&avatar=myfile=0D
=0D
Solution :=0D
--------------------=0D
N/A=0D
=0D
Credit :=0D
--------------------=0D
Discoverd by : Roozbeh Afrasiabi=0D
roozbeh_afrasiabi[at]yahoo[dot]com=0D
black_death[at]kapda[dot]net=0D
=0D
POC by : imei addmimistrator=0D
addmimistrator[at]gmail[dot]com=0D
imei[at]Kapda[dot]net=0D
=0D
=0D
--------------------=0D