Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] Custom Profile fields - possible XSS?
#1
Hi,

I am using MyBB 1.4.4 and have one custom profile textfield users are required to fill in.
It seems it isn't properly escaped/checked when viewing threads.

For example when I specify something like "<script>alert("foo")</script>" it's getting executed by the javascript interpreter when viewing the post - I get an alertbox displaying "foo".
When viewing the profile itself the box isn't displayed though.

Is this a bug or do I have to validate the field myself?


Messages In This Thread
[F] Custom Profile fields - possible XSS? - by Suhosin - 04-04-2009, 11:26 AM

Forum Jump:


Users browsing this thread: 1 Guest(s)