Posts

Showing posts from December, 2010

MyBB 1.6 <= Cross Site Scripting Vulnerability

http://yehg.net/lab/pr0js/advisories/%5Bmybb1.6%5D_cross_site_scripting 1. OVERVIEW MyBB was vulnerable to Cross Site Scripting Vulnerability. 2. APPLICATION DESCRIPTION MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications. 3. VULNERABILITY DESCRIPTION Two XSS vulnerabilities were found. One is user-driven XSS on "url" parameter. User will get xssed upon successful log-in. The other is a reflected XSS on "posthash" parameter where the valid tid (topic id) is required for successful attack. The anti-CSRF check against "my_post_key" parameter was not done in thread/post preview mode and thus there came a way for XSS to be successful. 4. VERSIONS AFFECTED MyBB 1.6 and lower 5. PROOF-OF-CONCEPT/EXPLOIT User-driven XSS http://attacker.in/mybb/member.php?action=login&url=javascript:alert%28/XSS/%29 Reflected XSS http://attacker.in/mybb/newreply.php?

MyBB 1.6 <= SQL Injection Vulnerability

1. OVERVIEW Potential SQL Injection vulnerability was detected in MyBB. 2. APPLICATION DESCRIPTION MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications. 3. VULNERABILITY DESCRIPTION The "keywords" parameter was not properly sanitized in /private.php and /search.php which leads to SQL Injection vulnerability. Full exploitation possibility is probably mitigated by clean_keywords and clean_keywords_ft functions in inc/functions_search.php. 4. VERSIONS AFFECTED MyBB 1.6 and lower 5. PROOF-OF-CONCEPT/EXPLOIT => /search.php POST /mybb/search.php action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1 => /private.php POST /mybb/private.php my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff 6. SOLUTION Upgrade to 1.6.1 7. VENDOR

Metasploit plugin - vhost_scanner improved & updated

Metasploit vhost_scannery.rb This is an improved version of vhost_scanner in auxiliary/scanner/http/vhost_scanner.rb . We improved it by adding load-from-file support, more commonly used word list, title/header display, TLD support. Currently this hasn't been added to Metasploit SVN. You can test it by putting it into auxiliary/scanner/http/