lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <007c01cc0109$84105ca0$0201a8c0@ml>
Date: Fri, 22 Apr 2011 19:21:55 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities in MyBB

Hello list!

I want to warn you about Information Leakage, Abuse of Functionality,
Insufficient Anti-automation and Brute Force vulnerabilities in
MyBB.

-------------------------
Affected products:
-------------------------

Vulnerable are MyBB 1.6.3 and previous versions.

In recently released versions MyBB 1.6.3 and 1.4.16 the developers denied to
fix these vulnerabilities.

----------
Details:
----------

Information Leakage (WASC-13):

Logins are names of the users at the forum (and so it's possible to reveal
logins at forum's pages).

Abuse of Functionality (WASC-42):

Login enumeration is possible in these functionalities - by id it's possible
to reveal all logins:

http://site/member.php?action=profile&uid=1

http://site/member.php?action=activate&uid=1

Abuse of Functionality (WASC-42):

http://site/member.php?action=login

If to enter incorrect login and password and correct login and incorrect
password, then in second case the captcha shows. Which allows to reveal
logins (at that this process can be automated, because it doesn't protected
by captcha).

Insufficient Anti-automation (WASC-21):

http://site/member.php?action=activate&uid=1

http://site/member.php?action=lostpw

These functionalities have no protection from automated attacks (captcha).

Brute Force (WASC-11):

In login form (http://site/member.php?action=login) the vulnerable captcha 
is used, which shows after unsuccessful authentication attempt.

For bypassing of captcha the session reusing with constant captcha bypass
method is used, which described in my project Month of Bugs in Captchas
(http://websecurity.com.ua/1551/).

------------
Timeline:
------------

2011.03.12 - announced at my site.
2011.03.16 - informed developers.
2011.04.17 - developers didn't fix these vulnerabilities in released
versions MyBB 1.6.3 and 1.4.16.
2011.04.21 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4999/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ