Tuesday, March 12, 2019
Home / Security / Exploits / New MyBB POST XSS Zero-day

New MyBB POST XSS Zero-day

Osanda Malith, an independent security researcher has released his new findings in a blog post yesterday.  He demonstrated a newly found zero-day that allows an attacker to inject code into Mybb’s search.php file via a POST XSS exploit.

In the blog post, he writes “This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.”

After injection, Mybb spits out a SQL error:


You can view the POC video here:

You can get the POC script here:

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …