MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > XSS Vulns in memberlist and modcp.
Full Version: XSS Vulns in memberlist and modcp.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

[email protected]

2011-12-12, 10:42 PM
I'm not very experienced with MyBB, anyone mind telling me how to fix these? I've already looked through both and I cannot find where he has injected his malicious script.

Wow, I'm so high I used my email for username.

TheGarfield

2011-12-12, 10:49 PM
Are you using any Facebook connect plugins? That's the issue!! Disable them and try to find a user with a username containing "noscrip"....

+
Watch out, you registered with your email address and there might be some spambots in here Wink

Omar G.

2011-12-12, 10:56 PM
How do you know he used the memberlist in modcp?

[email protected]

2011-12-12, 11:02 PM
Nope no facebook plugins, etc.

Omar, it's both memberlist.php and modcp.php

I bought a forum from someone, memberlist.php was previously defaced and not fixed, he got admin access through it and did the same to modcp.php?action=finduser&page=2

I've temporary removed memberlist to prevent it from happening again until I can figure out what's causing it.

Omar G.

2011-12-12, 11:21 PM
Yes, but how do you know the hacker used those files?

[email protected]

2011-12-12, 11:49 PM
(2011-12-12, 11:21 PM)Omar G. Wrote: [ -> ]Yes, but how do you know the hacker used those files?

It's XSS, you have to inject your script onto that page, in the case memberlist.php and modcp.php/blah-blah=1 I know a lot about how XSS works as I use it myself however I have never been on the receiving end.

Kaeden

2011-12-12, 11:56 PM
If the problem it's only with the forum files, you can try to replace them with a fresh copy of MyBB.
Also check the file permissions.

Of course, this can be achivied if you have FTP access.

[email protected]

2011-12-13, 12:03 AM
(2011-12-12, 11:56 PM)rubsone Wrote: [ -> ]If the problem it's with the forum files, you can try to replace them with a fresh copy of MyBB.
Also check the file permissions.

Of course, this can be achivied if you have FTP access.

Already tried that, I replaced memberlist.php and modcp.php with the fresh files directly from MyBB installation .rar, did not fix the issue.

Nathan Malcolm

2011-12-13, 12:06 AM
Forum URL?

Kaeden

2011-12-13, 12:11 AM
(2011-12-13, 12:03 AM)[email protected] Wrote: [ -> ]
(2011-12-12, 11:56 PM)rubsone Wrote: [ -> ]If the problem it's with the forum files, you can try to replace them with a fresh copy of MyBB.
Also check the file permissions.

Of course, this can be achivied if you have FTP access.

Already tried that, I replaced memberlist.php and modcp.php with the fresh files directly from MyBB installation .rar, did not fix the issue.

Try to replace all of them, except the config file Smile
Pages: 1 2
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > XSS Vulns in memberlist and modcp.