`Advisory: Stored XSS-Vulnerabilities in MyBB v. 1.8.3
Advisory ID: SROEADV-2015-15
Author: Steffen Rösemann
Affected Software: MyBB v. 1.8.3
Vendor URL: http://www.mybb.com
Vendor Status: patched
CVE-ID: -
==========================
Vulnerability Description:
==========================
MyBB v. 1.8.3 suffers from multiple stored XSS-vulnerabilities in the
administrative backend.
==================
Technical Details:
==================
The stored XSS-vulnerabilities can be found in different modules in the
following locations of a common MyBB installation:
======================
Module "config-attachment_types"
======================
via form-field MIME-type:
http://{TARGET}/admin/index.php?module=config-attachment_types&action=add
executed in: e.g. http://
{TARGET}/admin/index.php?module=config-attachment_types
===============
Module "config-mycode"
===============
via form fields "title" and "short description":
http://{TARGET}/admin/index.php?module=config-mycode&action=add
executed in: e.g. http://{TARGET}/admin/index.php?module=config-mycode
===================
Module "forum-management"
===================
via form field "title":
http://{TARGET}/admin/index.php?module=forum-management&action=add
executed in: e.g. http://{TARGET}/admin/index.php?module=forum
==============
Module "user-groups"
==============
via form fields "title" and/or "short description":
http://{TARGET}/admin/index.php?module=user-groups&action=add
executed in: e.g. http://{TARGET}/admin/index.php?module=user-groups
================
Module "style-templates"
================
via form field "name":
http://{TARGET}/admin/index.php?module=style-templates&action=add_set
executed in: e.g. http://{TARGET}/admin/index.php?module=style-templates
====================================
Module "style-templates" in action "add_template_group"
====================================
via form field "title":
http://
{TARGET}/admin/index.php?module=style-templates&action=add_template_group
executed in: e.g. http://
{TARGET}/admin/index.php?module=style-templates&sid={TEMPLATES_NUMERIC_ID}
=============
Module "tool-tasks"
=============
via form field "title":
http://{TARGET}/admin/index.php?module=tools-tasks&action=add
executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog
=================
Module "config-post_icons"
=================
via form field "name":
http://{TARGET}/admin/index.php?module=config-post_icons&action=add
executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog
=============
Module "user-titles"
=============
via form field "title to assign":
http://{TARGET}/admin/index.php?module=user-titles&action=add
executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog
================
Module "config-banning"
================
via form field "username":
http://{TARGET}/admin/index.php?module=config-banning&type=usernames
executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog
=========
Solution:
=========
Upgrade to v. 1.8.4.
====================
Disclosure Timeline:
====================
02/03-Feb-2015 – found the vulnerabilities
03-Feb-2015 - informed the developers according to their security issue
rules (see [3])
03-Feb-2015 – release date of this security advisory [without technical
details]
03-Feb-2015 - vendor replied, issues will be patched
15-Feb-2015 - vendor released patch v. 1.8.4 (see [4])
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] http://www.mybb.com
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html
[3] http://www.mybb.com/get-involved/security/
[4]
http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation