Lucene search
K

MyBB 1.8.3 Cross Site Scripting

🗓️ 19 Feb 2015 00:00:00Reported by Steffen RoesemannType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

MyBB 1.8.3 stored XSS-vulnerabilities in administrative backen

Code
`Advisory: Stored XSS-Vulnerabilities in MyBB v. 1.8.3  
Advisory ID: SROEADV-2015-15  
Author: Steffen Rösemann  
Affected Software: MyBB v. 1.8.3  
Vendor URL: http://www.mybb.com  
Vendor Status: patched  
CVE-ID: -  
  
==========================  
Vulnerability Description:  
==========================  
  
MyBB v. 1.8.3 suffers from multiple stored XSS-vulnerabilities in the  
administrative backend.  
  
==================  
Technical Details:  
==================  
  
The stored XSS-vulnerabilities can be found in different modules in the  
following locations of a common MyBB installation:  
  
======================  
Module "config-attachment_types"  
======================  
  
via form-field MIME-type:  
  
http://{TARGET}/admin/index.php?module=config-attachment_types&action=add  
  
executed in: e.g. http://  
{TARGET}/admin/index.php?module=config-attachment_types  
  
===============  
Module "config-mycode"  
===============  
  
via form fields "title" and "short description":  
  
http://{TARGET}/admin/index.php?module=config-mycode&action=add  
  
executed in: e.g. http://{TARGET}/admin/index.php?module=config-mycode  
  
===================  
Module "forum-management"  
===================  
  
via form field "title":  
  
http://{TARGET}/admin/index.php?module=forum-management&action=add  
  
executed in: e.g. http://{TARGET}/admin/index.php?module=forum  
  
==============  
Module "user-groups"  
==============  
  
via form fields "title" and/or "short description":  
  
http://{TARGET}/admin/index.php?module=user-groups&action=add  
  
executed in: e.g. http://{TARGET}/admin/index.php?module=user-groups  
  
================  
Module "style-templates"  
================  
  
via form field "name":  
  
http://{TARGET}/admin/index.php?module=style-templates&action=add_set  
  
executed in: e.g. http://{TARGET}/admin/index.php?module=style-templates  
  
====================================  
Module "style-templates" in action "add_template_group"  
====================================  
  
via form field "title":  
  
http://  
{TARGET}/admin/index.php?module=style-templates&action=add_template_group  
  
executed in: e.g. http://  
{TARGET}/admin/index.php?module=style-templates&sid={TEMPLATES_NUMERIC_ID}  
  
=============  
Module "tool-tasks"  
=============  
  
via form field "title":  
  
http://{TARGET}/admin/index.php?module=tools-tasks&action=add  
  
executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog  
  
=================  
Module "config-post_icons"  
=================  
  
via form field "name":  
  
http://{TARGET}/admin/index.php?module=config-post_icons&action=add  
  
executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog  
  
=============  
Module "user-titles"  
=============  
  
via form field "title to assign":  
  
http://{TARGET}/admin/index.php?module=user-titles&action=add  
  
executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog  
  
================  
Module "config-banning"  
================  
  
via form field "username":  
  
http://{TARGET}/admin/index.php?module=config-banning&type=usernames  
  
executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog  
  
=========  
Solution:  
=========  
  
Upgrade to v. 1.8.4.  
  
  
====================  
Disclosure Timeline:  
====================  
02/03-Feb-2015 – found the vulnerabilities  
03-Feb-2015 - informed the developers according to their security issue  
rules (see [3])  
03-Feb-2015 – release date of this security advisory [without technical  
details]  
03-Feb-2015 - vendor replied, issues will be patched  
15-Feb-2015 - vendor released patch v. 1.8.4 (see [4])  
19-Feb-2015 - release date of this security advisory  
19-Feb-2015 - send to FullDisclosure  
  
========  
Credits:  
========  
  
Vulnerability found and advisory written by Steffen Rösemann.  
  
===========  
References:  
===========  
  
[1] http://www.mybb.com  
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html  
[3] http://www.mybb.com/get-involved/security/  
[4]  
http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation