| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 May 2011 20:17:51 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: XSS, Redirector and IAA vulnerabilities in MyBB Hello list! I want to warn you about Cross-Site Scripting, URL Redirector Abuse and Insufficient Anti-automation vulnerabilities in MyBB. ------------------------- Affected products: ------------------------- Vulnerable are MyBB 1.6.3 and previous versions. In recently released versions MyBB 1.6.3 and 1.4.16 the developers denied to fix these vulnerabilities. ---------- Details: ---------- For XSS and URL Redirector Abuse the working account at vulnerable forum is used. About such attacks I wrote in my article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). XSS (WASC-08): http://websecurity.com.ua/uploads/2011/MyBB%20XSS-3.html URL Redirector Abuse (WASC-38): http://websecurity.com.ua/uploads/2011/MyBB%20Redirector.html Insufficient Anti-automation (WASC-21): In registration form (http://site/member.php?action=register) the vulnerable captcha is used. For bypassing of captcha the session reusing with constant captcha bypass method isn't right for it (unlike login form, even it's the same captcha, because in this form they made the hole "not completely"). So it's needed to use half-automated method which described in my project Month of Bugs in Captchas (http://websecurity.com.ua/1595/). There also can be turned on limitation by IP. The limitation on two registrations from one IP per 24 hours can't protect completely, because it's bypassing by using of a proxy. So it's needed to have reliable captcha. ------------ Timeline: ------------ 2011.03.18 - announced at my site. 2011.03.25 - informed developers. 2011.04.17 - developers didn't fix these vulnerabilities in released versions MyBB 1.6.3 and 1.4.16. 2011.04.28 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5016/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists