MyBB 1.4.3 did not fix XSS flaw mentioned yesterday. MyBB’s patch is a simple black list – it replaces ‘ with \’… which does not protect when you use attack like this:

http://www.victim.example/mybb/moderation.php?action=removesubscriptions

&ajax=1&url=\’%2Balert(‘XSS!’)//

Better way to solve this is to use addslashes() (see my previous post) and the best way – use white list.

Update (2.12.2008): They fixed it properly (with addslashes()) in MyBB 1.4.4.