Posts

Showing posts from December, 2010

MyBB 1.6 <= Cross Site Scripting Vulnerability

http://yehg.net/lab/pr0js/advisories/%5Bmybb1.6%5D_cross_site_scripting



1. OVERVIEW

MyBB was vulnerable to Cross Site Scripting Vulnerability.


2. APPLICATION DESCRIPTION

MyBB is a free bulletin board system software package developed by the MyBB Group.
It's supposed to be developed from XMB and DevBB bulletin board applications.


3. VULNERABILITY DESCRIPTION

Two XSS vulnerabilities were found. One is user-driven XSS on "url" parameter.
User will get xssed upon successful log-in.
The other is a reflected XSS on "posthash" parameter where the valid tid (topic id) is required for successful attack.
The anti-CSRF check against "my_post_key" parameter was not done in thread/post preview mode and thus there came a way for XSS to be successful.


4. VERSIONS AFFECTED

MyBB 1.6 and lower


5. PROOF-OF-CONCEPT/EXPLOIT

User-driven XSS
http://attacker.in/mybb/member.php?action=login&url=javascript:alert%28/XSS/%29

Reflected XSS
http://attacker.in/mybb/newreply.php?my_post_key…

MyBB 1.6 <= SQL Injection Vulnerability

1. OVERVIEW

Potential SQL Injection vulnerability was detected in MyBB.


2. APPLICATION DESCRIPTION

MyBB is a free bulletin board system software package developed by the MyBB Group.
It's supposed to be developed from XMB and DevBB bulletin board applications.


3. VULNERABILITY DESCRIPTION

The "keywords" parameter was not properly sanitized in /private.php and /search.php which leads to SQL Injection vulnerability. Full exploitation possibility is probably mitigated by clean_keywords and clean_keywords_ft functions in inc/functions_search.php.


4. VERSIONS AFFECTED

MyBB 1.6 and lower


5. PROOF-OF-CONCEPT/EXPLOIT

=> /search.php

POST /mybb/search.php

action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1


=> /private.php

POST /mybb/private.php

my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff


6. SOLUTION

Upgrade to 1.6.1


7. VENDOR

MyBB Develop…

Metasploit plugin - vhost_scanner improved & updated

Metasploit

vhost_scannery.rb

This is an improved version of vhost_scanner in auxiliary/scanner/http/vhost_scanner.rb . We improved it by adding load-from-file support, more commonly used word list, title/header display, TLD support. Currently this hasn't been added to Metasploit SVN. You can test it by putting it into auxiliary/scanner/http/