Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
HELP ME FIX XSS
#21
I tempered the data and it didn't work. The new image is generated on the new page, thus you can only get what you posted if you edit the actual HTML using something like FireBug. Unless you're explaining it wrong, this is nothing but bogus.
MyBB-Plugins.com is for sale - check this thread for more information.
#22
This user has been denied support. This user has been denied support.
I tested this multiple times and doesn't seem to work but instead it refreshes the Captcha image and I even tried on the normal login page but it didn't give me any popout.

I asked the owner of capitalcorporation to post a list of their plugins on this thread.
#23
I'm the owner of the forum, and these are the plugins I'm currently using:

- Additional Usergroup Images
- Donation Page
- Easy Refer
- FAPCOR
- Forum Icons
- Fit on Page
- Force Postbit Layout
- MyBB Go Mobile
- Goodbye Spammer
- Google SEO
- IP Login History
- My Ad Manager
- My Awards
- My Permissions
- No Search Forum Exclusion
- OUGC Character Count Enhancement
- Reg Security Question
- Report Once
- Sig Image Size
- Stop Self Rating
- Tagging Plugin
- Thread Open Close Self
- Trash Can Forum
- Username History
- Welcome Email/PM
- View Member Reported Posts
#24
A javascript popup does not always mean an XSS. XSS = Cross Site Scripting. I'm pretty sure I recall the same report you have going around a year or so ago and it was dismissed then as well because it can't be exploited from another site. It will only generate to the user.

It's like saying because there is an sql error that there is an SQL Injection exploit.

From what I see and from what the team members are saying. You should be fine.

btw...can your friend reproduce on other MyBB forums?
#25
This user has been denied support. This user has been denied support.
(2013-01-28, 06:56 PM)labrocca Wrote: A javascript popup does not always mean an XSS. XSS = Cross Site Scripting. I'm pretty sure I recall the same report you have going around a year or so ago and it was dismissed then as well because it can't be exploited from another site. It will only generate to the user.

It's like saying because there is an sql error that there is an SQL Injection exploit.

From what I see and from what the team members are saying. You should be fine.

btw...can your friend reproduce on other MyBB forums?
maybe i used another script but the steps were exactly the same!
I cant understand Confused
#26
I don't think you understand our messages. Even if it displays such popup box, it doesn't do any harm to any other user.
MyBB-Plugins.com is for sale - check this thread for more information.
#27
It's a trick. Not an exploit or vulnerability that will negatively effect your users or produce a security breach.


Forum Jump:


Users browsing this thread: 1 Guest(s)