Autor
Vulnerability:
-------------------
There are some security bugs in MyBB software that allows attacker to perform a <strong>HeaderInjection </strong>attack.<!--more-->MyBB is prone to Header injection in "many pages" in result of unsentized <strong>CRLF</strong>s and other meaningfull characters in embeding usersuplied varables in header of HTTP while redirecting.
possible attacks against this type of injection are: <strong>XSS,cache poisoning, hijacking pages</strong> and etc...
we suggest vendor to validate this characters in redirect function for immediate patch and for future versions validate usersuplied varables in embeding data in headers.
Exploit:
--------------------
send a request to some pages that need refferer while redirecting.
POST
Refferer: %0d%0a%0d%0ai+am+here
even if friendly redirecting feature was off, all of pages that embede user supleid data can exploit.
Solution:
--------------------
Upgrade to vendore provided patch.
sugeston:
inc/function.php{306}
before 324 insert
$url = str_replace(array("\n","\r",";"), "", $url);
------------------------------------------------------------
Risk Level: <strong>high</strong>
-------Description-------
There is a security bug in MyBB 1.0.4 software (latest version fully patched) that allows attacker performe an <strong>XSS </strong>attack.<!--more--> bug is in result of unsentizing <strong>quotation </strong>and <strong>< & ></strong> characters for <strong>"url</strong>"parameter.
Bug is in member.php file while redirecting after loging in.
-------Exploit-------
/mybb/member.php?action=do_login&username=imei
&password=doyouneedmine&url="><script>alert(1)</script><!--
-------Solution-------
Upgrade to vendore provided patch.
--------------------------------------------------------------------
Risk Level: <strong>medium</strong>
-----------------Description---------------
There is a security bug in MyBB 1.0.3 software (latest version fully patched) that allows attacker performe an <strong>XSS </strong>attack.<!--more--> bug is in result of leaving some unneeded codes or some codes that have not any field for entry but are available for blindfolded input...
Bug is in member.php file while registering.Some fields that never htmlspecialchar in showing profile process (because they htmlspecialchared while CHANGING{and not while registering}) entered in user detail fields and can accept <>& chars...
exploitable field<strong>S</strong> are :
aim ~ yahoo ~ msn ~ website
source of buggy code are in member.php {382-417}
$newuser = array(
....view source for more detailes...
--------------Exploit----------------------
/mybb/member.php?username=blab&password=blabblab &password2=blabblab &email=blab@blab.com& &email2=blab@blab.com&imagestring=[fill here if needed]&imagehash=[fill here if needed]
&action=do_register&<strong>yahoo=%3C script%3E alert(document.cookie)%3C/script %3E</strong>®submit=register me mybb:D
--------------Solution---------------------
Not Available
Si pues quien dice que XSS, no es peligroso!!
En línea
