lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051223192714.BA5DD90006@www.strato-webmail.de>
Date: Fri, 23 Dec 2005 20:27:14 +0100 (CET)
From: tk@...pkit.de
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: [TKADV2005-12-001] Multiple SQL Injection
	vulnerabilities in MyBB



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:            Multiple SQL Injection vulnerabilities in MyBB
Name:                TKADV2005-12-001
Revision:            1.0              
Release Date:        2005/12/23 
Last Modified:       2005/12/23 
Date Reported:       2005/11/07
Author:              Tobias Klein (tk at trapkit.de)
Affected Software:   MyBB (all versions <= MyBB PR2 Rev.686) 
Risk:                Critical (x) High ( ) Medium ( ) Low ( )  
Vendor URL:          http://www.mybboard.com/ 
Vendor Status:       Vendor has released an updated version         

                    
========= 
Overview:
========= 

  MyBB is a powerful, efficient and free forum package developed in 
  PHP and MySQL. 

  Version MyBB PR2 Rev.686 and prior contain multiple SQL Injection 
  vulnerabilities.
 

======================
Vulnerability details: 
======================

Some of the following vulnerabilities can be successfully exploited
by every anonymous guest user of MyBB. To exploit the other issues
a registered user account is needed. Because of that all 
vulnerabilities are rated with a high probability of occurrence.

Every single SQL injection issue that is described in the following
allows a full compromise of a MyBB installation (f.e. steal or 
[re]set the administrator password). PoC code has been developed 
but won't be released to the public.

For a description of the calculation of the resulting threat of a 
vulnerability see reference [3]. 


[1] SQL Injection

Possible damage:           Critical
Probability of occurrence: High
Resulting threat:          Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any anonymous
  guest user of MyBB.
	
Vulnerable URL:

	[path_to_mybb]/calendar.php?action=addevent
	
Vulnerable POST parameter: month
	
Proof of Concept (POST request):

  POST [path_to_mybb]/calendar.php HTTP/1.1

  Parameter   | Value
  --------------------------------
  month       | 11[SQL]
  day         | 11
  year        | 2005
  subject     | test
  description | test
  action      | do_addevent


[2] SQL Injection

Possible damage:           Critical
Probability of occurrence: High
Resulting threat:          Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any anonymous
  guest user of MyBB.
	
Vulnerable URL:

	[path_to_mybb]/calendar.php?action=addevent
	
Vulnerable POST parameter: day
	
Proof of Concept (POST request):

  POST [path_to_mybb]/calendar.php HTTP/1.1
  
  Parameter   | Value
  --------------------------------
  month       | 11
  day         | 11[SQL]
  year        | 2005
  subject     | test
  description | test
  action      | do_addevent


[3] SQL Injection

Possible damage:           Critical
Probability of occurrence: High
Resulting threat:          Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any anonymous
  guest user of MyBB.
	
Vulnerable URL:

	[path_to_mybb]/calendar.php?action=addevent
	
Vulnerable POST parameter: year
	
Proof of Concept (POST request):

  POST [path_to_mybb]/calendar.php HTTP/1.1

  Parameter   | Value
  --------------------------------
  month       | 11
  day         | 11
  year        | 2005[SQL]
  subject     | test
  description | test
  action      | do_addevent


[4] SQL Injection

Possible damage:           Critical
Probability of occurrence: High
Resulting threat:          Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any registered
  user of MyBB.
	
Vulnerable URL:

	[path_to_mybb]/usercp.php?action=options
	
Vulnerable POST parameter: threadmode
	
Proof of Concept (POST request):

  POST [path_to_mybb]/usercp.php HTTP/1.1

  Parameter       | Value
  --------------------------------
  allownotices    | yes
  emailnotify     | yes
  receivepms      | yes
  pmpopup         | yes
  pmnotify        | yes
  dateformat      |	
  timeformat      |
  timezoneoffset  | 0
  tpp             |
  daysprune       |
  ppp             |
  threadmode      | [SQL]
  showcodebuttons | 1
  style           | 0
  language        |
  action          | do_options
  regsubmit       | Update Options


[5] SQL Injection

Possible damage:           Critical
Probability of occurrence: High
Resulting threat:          Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any registered
  user of MyBB.
	
Vulnerable URL:

	[path_to_mybb]/usercp.php?action=options
	
Vulnerable POST parameter: showcodebuttons
	
Proof of Concept (POST request):

  POST [path_to_mybb]/usercp.php HTTP/1.1

  Parameter       | Value
  --------------------------------
  allownotices    | yes
  emailnotify     | yes
  receivepms      | yes
  pmpopup         | yes
  pmnotify        | yes
  dateformat      |	
  timeformat      |
  timezoneoffset  | 0
  tpp             |
  daysprune       |
  ppp             |
  threadmode      | 
  showcodebuttons | 1[SQL]
  style           | 0
  language        |
  action          | do_options
  regsubmit       | Update Options


[6] SQL Injection

Possible damage:           Critical
Probability of occurrence: High
Resulting threat:          Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any registered
  user of MyBB.
	
Vulnerable URL:

	[path_to_mybb]/usercp.php?action=editlists
	
Vulnerable POST parameter: list
	
Proof of Concept (POST request):

  POST [path_to_mybb]/usercp.php HTTP/1.1

  Parameter          | Value
  --------------------------------
  listuser%5B1%5D    | admin
  listuser%5Bnew1%5D |	
  listuser%5Bnew2%5D |	
  action             | do_editlists
  list               | buddy[SQL]
  submit             | Update Buddy List


[7] SQL Injection

Possible damage:           Critical
Probability of occurrence: High
Resulting threat:          Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any registered
  user of MyBB.
	
Vulnerable URL:

	[path_to_mybb]/member.php?action=rate&uid=1
	
Vulnerable POST parameter: rating
	
Proof of Concept (POST request):

  POST [path_to_mybb]/member.php HTTP/1.1

  Parameter  | Value
  --------------------------------
  rating     | 5[SQL]
  action     | do_rate
  uid        | 1


[8] SQL Injection

Possible damage:           Critical
Probability of occurrence: High
Resulting threat:          Critical

HTTP method: POST

Vulnerability description:

  MyBB is prone to a SQL injection vulnerability. This issue is due
  to a lack of proper sanitization of user-supplied input before
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can be successfully exploited by any registered
  user of MyBB.
	
Vulnerable URL:

	[path_to_mybb]/showthread.php?tid=1
	
Vulnerable POST parameter: rating
	
Proof of Concept (POST request):

  POST [path_to_mybb]/ratethread.php HTTP/1.1

  Parameter | Value
  --------------------------------
  rating    | 5[SQL]
  tid       | 1


========= 
Solution: 
=========

  Upgrade to MyBB 1.0 or newer.
  
  http://www.mybboard.com/downloads.php
  

======== 
History: 
========

  2005/11/07 - Vendor notified 
  2005/11/07 - Vendor response
  2005/11/15 - Contacted vendor regarding status report
  2005/11/16 - Vendor response
  2005/12/04 - Contacted vendor regarding status report
  2005/12/06 - Vendor response
  2005/12/09 - Release of new MyBB version
  2005/12/09 - Patch notification released
  2005/12/23 - Full technical details released to general public


======== 
Credits: 
========

  Vulnerabilities found and advisory written by Tobias Klein.


=========== 
References: 
===========

  [1] http://community.mybboard.net/showthread.php?tid=5184
  [2] http://www.trapkit.de/advisories/TKADV2005-12-001.txt
  [3] http://www.trapkit.de/advisories/TKPN2005-12-001.txt
  [4] http://www.trapkit.de/advisories/TKADVcortav.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release
  

===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2005 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ6xPFZF8YHACG4RBEQJx1QCfdFspLw8epNGeZXzNLfxVcbpP4fIAoL/c
Yj40PaAEeU82FFSNBUBbtVcF
=Tb+B
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ