← Advisories

MyBB 1.6.10 'url' Parameter Arbitrary Site Redirection Vulnerability

Low

Advisory ID

ZSL-2013-5152

Release Date

07 August 2013

Vendor

MyBB Group - http://www.mybb.com

Affected Version

1.6.10

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a

Summary

MyBB, also known as MyBBoard or MyBulletinBoard, is a powerful, efficient, and free forum package, developed using PHP and MySQL.

Description

Input passed via the 'url' parameter in 'member.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

Proof of Concept

mybb_redirect.txtTXT

Disclosure Timeline

02.08.2013Vulnerability discovered.

06.08.2013Vendor has knowledge about the issue.

07.08.2013Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://packetstormsecurity.com/files/122724

[2]http://cxsecurity.com/issue/WLB-2013080057

[3]http://xforce.iss.net/xforce/xfdb/86312

Changelog

07.08.2013Initial release

17.08.2013Added reference [3]