Advisory : “Cross-Site Scripting” vulnerability in MyBB

Application: MyBB
Vulnerable Versions: <= 1.4.5
Reported By: Jacques Copeau

Description
***********

MyBB is a forum package full of useful and to-the-point features, helping you
to make administrating your bulletin board as easy as possible. We highlighted
some of MyBB's best capabilities, to show you why you should choose MyBB over
any other discussion board.

Details
*******
MyBB suffers from failure to properly sanitize user input, resulting in
cross-site-scripting vulnerabilities.
By entering malicious scripts into the Avatar URL field in the user control
panel, attackers can steal login credentials, attack user pcs, manipulate
board settings and even to introduce malicious php scripts into the board.
http://yourdomain.com/somefile.png?"><script>alert('xss')</script>

http://yourdomain.com/somefile.png must be a valid link to an image file
meeting the board settings for avatars.

Discussion
*******
The XSS renders in all browsers and on various pages inside the myBB software.
We consider it to be particularly grave, as it renders on the ACP user overview
page; this can be easily exploited to construct a universal CSRF vulnerability
that introduces malicious php code into the script.

Fix Information
***************
Update to MyBB 1.4.6

Note
***************
This vulnerability was discovered as part of a survey, which will be released
at a later date.

Timeline:
***********
April 29th 2009: Contacted Vendor
April 30th 2009: Vendor reaction: "bogus"
April 30th 2009: Vendor corrects statement
May 3rd 2009: Patch released
May 3rd 2009: Full Disclosure

References:
***********

http://www.mybboard.net/