Jump to content
Aerosol

MyBB 1.8.3 Cross Site Scripting

Recommended Posts

Advisory: Stored XSS-Vulnerabilities in MyBB v. 1.8.3
Advisory ID: SROEADV-2015-15
Author: Steffen Rösemann
Affected Software: MyBB v. 1.8.3
Vendor URL: http://www.mybb.com
Vendor Status: patched
CVE-ID: -

==========================
Vulnerability Description:
==========================

MyBB v. 1.8.3 suffers from multiple stored XSS-vulnerabilities in the
administrative backend.

==================
Technical Details:
==================

The stored XSS-vulnerabilities can be found in different modules in the
following locations of a common MyBB installation:

======================
Module "config-attachment_types"
======================

via form-field MIME-type:

http://{TARGET}/admin/index.php?module=config-attachment_types&action=add

executed in: e.g. http://
{TARGET}/admin/index.php?module=config-attachment_types

===============
Module "config-mycode"
===============

via form fields "title" and "short description":

http://{TARGET}/admin/index.php?module=config-mycode&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=config-mycode

===================
Module "forum-management"
===================

via form field "title":

http://{TARGET}/admin/index.php?module=forum-management&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=forum

==============
Module "user-groups"
==============

via form fields "title" and/or "short description":

http://{TARGET}/admin/index.php?module=user-groups&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=user-groups

================
Module "style-templates"
================

via form field "name":

http://{TARGET}/admin/index.php?module=style-templates&action=add_set

executed in: e.g. http://{TARGET}/admin/index.php?module=style-templates

====================================
Module "style-templates" in action "add_template_group"
====================================

via form field "title":

http://
{TARGET}/admin/index.php?module=style-templates&action=add_template_group

executed in: e.g. http://
{TARGET}/admin/index.php?module=style-templates&sid={TEMPLATES_NUMERIC_ID}

=============
Module "tool-tasks"
=============

via form field "title":

http://{TARGET}/admin/index.php?module=tools-tasks&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

=================
Module "config-post_icons"
=================

via form field "name":

http://{TARGET}/admin/index.php?module=config-post_icons&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

=============
Module "user-titles"
=============

via form field "title to assign":

http://{TARGET}/admin/index.php?module=user-titles&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

================
Module "config-banning"
================

via form field "username":

http://{TARGET}/admin/index.php?module=config-banning&type=usernames

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

=========
Solution:
=========

Upgrade to v. 1.8.4.


====================
Disclosure Timeline:
====================
02/03-Feb-2015 – found the vulnerabilities
03-Feb-2015 - informed the developers according to their security issue
rules (see [3])
03-Feb-2015 – release date of this security advisory [without technical
details]
03-Feb-2015 - vendor replied, issues will be patched
15-Feb-2015 - vendor released patch v. 1.8.4 (see [4])
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://www.mybb.com
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html
[3] http://www.mybb.com/get-involved/security/
[4]
http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/

Source

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...