MyBB Community Forums

MyBB Community Forums > 1.8 Support > General Support > Custom Profile Fields tutorial vulnerable to STORED XSS
Full Version: Custom Profile Fields tutorial vulnerable to STORED XSS
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Noter33

2022-01-09, 05:13 PM
I used this tutorial for my forum in order to let users add their custom background image on their threads/posts.

The tutorial is using only simple regex as "security"
A simple bypass xss bypass is just to add near the video source an xss payload like : https://i.imgur.com/ka73p3w.gif"><script>alert()</script>

The thread is not talking about any template conditionals "safety" as Omar is explaining here : https://community.mybb.com/thread-215732.html

I took down the custom fields from my forum but I want somehow to get em back in a secure way , can someone help me with that ? I don't understand how should I encode the value used by the user in the vulnerable field
How can I encode the input ?

Crazycat

2022-01-09, 05:58 PM
I submit a modification of the regexp in the tutorial

Noter33

2022-01-09, 06:03 PM
(2022-01-09, 05:58 PM)Crazycat Wrote: [ -> ]I submit a modification of the regexp in the tutorial

REGEX is not XSS security , every regex you would use there is inefficient there will be always a bypass

Crazycat

2022-01-09, 08:17 PM
(2022-01-09, 06:03 PM)Noter33 Wrote: [ -> ]
(2022-01-09, 05:58 PM)Crazycat Wrote: [ -> ]I submit a modification of the regexp in the tutorial

REGEX is not XSS security , every regex you would use there is inefficient there will be always a bypass

The regex will validate (or refuse) the value given. That's the better way (not the best) to limit risks.
If you don't want any risk, do not allow external contents or anything you cannot really trust in custom fields, or better don't use custom field.
MyBB Community Forums > 1.8 Support > General Support > Custom Profile Fields tutorial vulnerable to STORED XSS