[VIM] MyBB search.php XSS: "sortordr" or "sorder" ? and vendor ACK
Steven M. Christey
coley at mitre.org
Tue Jan 31 12:33:35 EST 2006
[vendor seems to have posted acknowledgement for multiple issues; see
The MyBB search.php XSS reported by imei here (CVE-2006-0470):
cheknig of two input varibles "sortby" & "sortordr" in redirection
page of search pages
however, the demonstration exploit - which only shows an XSS
manipulation of sortby - has a parameter named "sorder" in it.
So is it "sortordr" or "sorder" ?
The vendor seems to acknolwedge this here:
and the manual patch here is clear:
since it includes:
$mybb->input['sortby'] = htmlspecialchars($mybb->input['sortby']);
$mybb->input['sortordr'] = htmlspecialchars($mybb->input['sortordr']);
So this must be, in fact, "sortordr".
A grep of all code from the manual patch shows nothing relevant to
The patch also appears to affect the usercp.php/notepad vector
and the definition of the $op variable in the search.php fix *might*
be relevant to CVE-2006-0406.
There also appears to be an SQL-injection related fix in global.php,
but I'm not sure where it came from - possibly a zero-day exploit.
More information about the VIM