| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 2 Apr 2011 18:35:19 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: AoF, IAA, XML Injection and XSS vulnerabilities in MyBB Hello list! I want to warn you about Abuse of Functionality, Insufficient Anti-automation, XML Injection and Cross-Site Scripting vulnerabilities in MyBB. ------------------------- Affected products: ------------------------- Vulnerable are MyBB 1.6.1 and previous versions. In versions MyBB 1.6.2 and 1.4.15 XML Injection and XSS holes were fixed (http://blog.mybb.com/2011/02/22/mybb-1-6-2-and-1-4-15-security-update/). Also developers have tried to fix IAA by adding new parameter my_post_key to request, but it'd not help against IAA. Because it's enough to take value of this parameter from forum's page (which can be done by program) and later on to conduct automated login enumeration attack. ---------- Details: ---------- Abuse of Functionality (WASC-42): These functionalities allow to conduct Login Enumeration attack. http://site/xmlhttp.php?action=username_availability&value=test http://site/xmlhttp.php?action=username_exists&value=test Insufficient Anti-automation (WASC-21): These functionalities have no protection from automated attacks. Which allows to automate login enumeration via Abuse of Functionality vulnerabilities, to reveal logins of users in the system. XML Injection (WASC-23): http://site/xmlhttp.php?action=username_exists&value=%3Cxml/%3E XSS via XML Injection (WASC-08): http://site/xmlhttp.php?action=username_exists&value=%3Cdiv%20xmlns=%22http://www.w3.org/1999/xhtml%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/div%3E ------------ Timeline: ------------ 2011.02.12 - announced at my site. 2011.02.13 - informed developers. 2011.02.22 - developers fixed some of these vulnerabilities in versions MyBB 1.6.2 and 1.4.15. 2011.04.01 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4925/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists