Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.4.14, and 1.6.x before 1.6.1, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) editpost.php, (2) member.php, and (3) newreply.php.
MyBB forum software versions 1.4.14 and 1.6.x before 1.6.1 are vulnerable to multiple cross-site scripting (XSS) attacks. Successful exploitation allows remote attackers to inject malicious JavaScript into web pages, potentially leading to account compromise, session hijacking, and data theft.
Step 1: Payload Delivery: The attacker crafts a malicious payload containing JavaScript code. This payload is designed to perform actions like stealing cookies, redirecting users, or defacing the website.
Step 2: Payload Injection: The attacker submits the crafted payload through a vulnerable input field in editpost.php, member.php, or newreply.php. This could be in a post, profile field, or other user-controllable data.
Step 3: Data Storage: The MyBB software stores the attacker's injected payload in its database.
Step 4: Victim Interaction: A legitimate user views the page containing the attacker's injected payload. This could be by viewing a post, visiting a profile, or viewing a new reply.
Step 5: Payload Execution: The victim's browser renders the page, including the attacker's malicious JavaScript. The browser executes the JavaScript, allowing the attacker to perform actions on behalf of the victim.
The vulnerability stems from insufficient input validation and output encoding in MyBB's handling of user-supplied data in several PHP files: editpost.php, member.php, and newreply.php. Specifically, the software fails to properly sanitize user-provided input before rendering it in the HTML output. This allows attackers to inject malicious JavaScript code within the context of the vulnerable website. The lack of proper input validation and output encoding (e.g., HTML entity encoding) allows the injected script to execute in the victim's browser, leading to the compromise.