[VIM] MyBB search.php XSS: "sortordr" or "sorder" ? and vendor ACK

Steven M. Christey coley at mitre.org
Tue Jan 31 12:33:35 EST 2006

[vendor seems to have posted acknowledgement for multiple issues; see
URLs below.]

The MyBB search.php XSS reported by imei here (CVE-2006-0470):



  cheknig of two input varibles "sortby" & "sortordr" in redirection
  page of search pages

however, the demonstration exploit - which only shows an XSS
manipulation of sortby - has a parameter named "sorder" in it.

So is it "sortordr" or "sorder" ?

The vendor seems to acknolwedge this here:


and the manual patch here is clear:


since it includes:

  $mybb->input['sortby'] = htmlspecialchars($mybb->input['sortby']);
  $mybb->input['sortordr'] = htmlspecialchars($mybb->input['sortordr']);

So this must be, in fact, "sortordr".

A grep of all code from the manual patch shows nothing relevant to

The patch also appears to affect the usercp.php/notepad vector

and the definition of the $op variable in the search.php fix *might*
be relevant to CVE-2006-0406.

There also appears to be an SQL-injection related fix in global.php,
but I'm not sure where it came from - possibly a zero-day exploit.

- Steve

More information about the VIM mailing list