MyBB 'search.php' Cross-Site Scripting Vulnerability

Bugtraq ID:	30401
Class:	Input Validation Error
CVE:	CVE-2008-3334
Remote:	Yes
Local:	No
Published:	Jul 28 2008 12:00AM
Updated:	Jul 28 2008 09:07PM
Credit:	This issue was disclosed by the vendor.
Vulnerable:	MyBB MyBB 1.2.12 MyBB MyBB 1.2.2 MyBB MyBB 1.2.1 MyBB MyBB 1.2 MyBB MyBB 1.1.3 MyBB MyBB 1.1
Not Vulnerable:	MyBB MyBB 1.2.14

MyBB 'search.php' Cross-Site Scripting Vulnerability

MyBB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to MyBB 1.2.14 are vulnerable.

MyBB 'search.php' Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim into following a malicious URI.

MyBB 'search.php' Cross-Site Scripting Vulnerability

Solution:
The vendor released MyBB 1.2.14 to address this issue. Please see the references for more information.


MyBB MyBB 1.1

• MyBB mybb_1214.zip
  http://www.mybboard.net/download/latest

MyBB MyBB 1.1.3

• MyBB mybb_1214.zip
  http://www.mybboard.net/download/latest

MyBB MyBB 1.2

• MyBB mybb_1214.zip
  http://www.mybboard.net/download/latest

MyBB MyBB 1.2.1

• MyBB mybb_1214.zip
  http://www.mybboard.net/download/latest

MyBB MyBB 1.2.12

• MyBB mybb_1214.zip
  http://www.mybboard.net/download/latest

MyBB MyBB 1.2.2

• MyBB mybb_1214.zip
  http://www.mybboard.net/download/latest

MyBB 'search.php' Cross-Site Scripting Vulnerability

References:

• MyBB 1.2.14 Released - Security & Maintenance Release (MyBB)
  
• MyBulletinBoard Homepage (MyBulletinBoard)