MyBB Downloads Plugin v2.0.3 - Persistent XSS

vendor:

MyBB Downloads Plugin

by:

0xB9

7.5

CVSS

HIGH

Persistent XSS

CWE

Product Name: MyBB Downloads Plugin

Affected Version From: 2.0.3

Affected Version To: 2.0.3

Patch Exists: YES

Related CWE: None

CPE: a:mybb:mybb_downloads_plugin:2.0.3

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 17.10

2018

MyBB Downloads Plugin v2.0.3 – Persistent XSS

It is a plugin which adds a page to download files. If enabled, regular members can add new downloads to the page after admin approval. To exploit this vulnerability, an attacker can add the following to the title <BODY ONLOAD=alert('XSS')> and when the admin goes to validate the download, he will be alerted.

Mitigation:

Update to the latest release and apply the patch from https://github.com/vintagedaddyo/MyBB_Plugin-Downloads/pull/1/commits/f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9f9

Source

Exploit-DB raw data:

# Exploit Title: MyBB Downloads Plugin v2.0.3 - Persistent XSS
# Date: 3/28/18
# Author: 0xB9
# Contact: luxorforums.com/User-0xB9 or 0xB9[at]protonmail.com
# Software Link: https://community.mybb.com/mods.php?action=view&pid=854
# Version: 2.0.3
# Tested on: Ubuntu 17.10


1. Description:
It is a plugin which adds a page to download files. If enabled, regular members can add new downloads to the page after admin approval.


2. Proof of Concept:

Persistent XSS
- Go to downloads.php page
- Create a New Download
- Add the following to the title <BODY ONLOAD=alert('XSS')>
- Now when the admin goes to validate your download he will be alerted


3. Solution:
Update to the latest release

Patch: https://github.com/vintagedaddyo/MyBB_Plugin-Downloads/pull/1/commits