______ ______ _____ ___ _____ _____ _____ | ___ \ | ___ \ | _ | |_ | | ___| / __ \ |_ _| | |_/ / | |_/ / | | | | | | | |__ | / \/ | | | __/ | / | | | | | | | __| | | | | | | | |\ \ \ \_/ / /\__/ / | |___ | \__/\ | | \_| \_| \_| \___/ \____/ \____/ \____/ \_/ _____ _ _ _____ _____ _____ _ _ ______ _____ _____ __ __ |_ _| | \ | | / ___| | ___| / __ \ | | | | | ___ \ |_ _| |_ _| \ \ / / | | | \| | \ `--. | |__ | / \/ | | | | | |_/ / | | | | \ V / | | | . ` | `--. \ | __| | | | | | | | / | | | | \ / _| |_ | |\ | /\__/ / | |___ | \__/\ | |_| | | |\ \ _| |_ | | | | \___/ \_| \_/ \____/ \____/ \____/ \___/ \_| \_| \___/ \_/ \_/ [+]---------------------------------------------------------[+] | Vulnerable Software: MyBB Forum Software | | Vendor: https://mybb.com/ | | Vulnerability Type: File Enumeration, XSS, FPD | | Date Released: 2017 | | Released by: 5tarboy (@insecurity) | [+]---------------------------------------------------------[+] MyBB (versions 1.8.12 and prior at time of writing this) is vulnerable to a cross site scripting bug which would allow a moderator to take over an administrator's account. In addition to this, it is also possible to perform file enumeration in the instances where it is not possible to spawn a shell. This can be used in conjunction with the FPD and other bugs in order to evelate the level of access and map out a potential attack surface. ------------------------------------------------------------------------------------------------------------- Cross-Site Scripting: ------------------------------------------------------------------------------------------------------------- A moderator or administrator can make an announcement, and can inject JavaScript into this. MyBB however says: > Should HTML be parsed in the announcement? (Javascript is removed) > Source: https://docs.mybb.com/1.6/Mod-CP-Forums-Posts/#Adding.2FEditing_an_Announcement