Skip to content

Instantly share code, notes, and snippets.

@MayurUdiniya

MayurUdiniya/gist:7aaa50b878d82b6aab6ed0b3e2b080bc

Created May 13, 2018 18:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc to your computer and use it in GitHub Desktop.
Save MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc to your computer and use it in GitHub Desktop.
Download ZIP
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements CVE-2018-10678
Raw
gistfile1.txt
> MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements,
> which makes it easier for remote attackers to conduct redirection attacks.
>
> ------------------------------------------
>
> [Additional Information]
> is parsing link with target="_blank" rel="noopener"
> <a class=mycode_url href=malicious.html target="_blank" rel="noopener"> malicious.html </a> MyBB users with Microsoft Edge browser are vulnerable for this attack
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> target=_blanket Phishing attack in chat
>
> ------------------------------------------
>
> [Vendor of Product]
> MyBB
>
> ------------------------------------------
>
> [Affected Product Code Base]
> MyBB - Version 1.8.15
>
> ------------------------------------------
>
> [Affected Component]
> MyBB, formerly MyBBoard and originally MyBulletinBoard, is a free and open source forum software developed by the MyBB Group
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [CVE Impact Other]
> Phishing & Invalidate redirect
>
> [Discoverer]
> Mayur Udiniya
>
> ------------------------------------------
>
> [Reference]
> https://blog.mybb.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment