exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MyBB 1.6.x ChangUonDyU Chatbox 3.6.0 Cross Site Scripting

MyBB 1.6.x ChangUonDyU Chatbox 3.6.0 Cross Site Scripting
Posted Feb 25, 2019
Authored by KingSkrupellos

MyBB version 1.6.x with ChangUonDyU Chatbox plugin version 3.6.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | e2ce77d650449c20f41b7440b5a99492fb2b20cce30030c22feec260c9befa81

MyBB 1.6.x ChangUonDyU Chatbox 3.6.0 Cross Site Scripting

Change Mirror Download
############################################################################

# Exploit Title : MyBB 1.6.x ChangUonDyU Chatbox Plugins 3.6.0 Cross Site Scripting
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 26/02/2019
# Vendor Homepage : mybb.com
# Software Download Link : destek.mybb.com.tr/attachment.php?aid=742
# Software Information Links : community.mybb.com/mods.php?action=view&pid=1125
+ community.mybb.com/mods.php?action=view&pid=1125
+ destek.mybb.com.tr/showthread.php?tid=2413
+ community.mybb.com/thread-63559.html
+ github.com/vintagedaddyo/MyBB_Plugin-ChangUonDyU-Advanced-Statistics
/commit/8122c93f4c3b517b9d35338fe77ba91d9a6ac08a
# Software Version : 1.0.2 and 3.6.0 and all previous versions
Compatible with MyBB - 1.6.x
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type :
CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
CWE-83 [ Improper Neutralization of Script in Attributes in a Web Page ]
CWE-87 [ Improper Neutralization of Alternate XSS Syntax ]
# Old Similar CVE : CVE-2018-11532
Reference Link : cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11532
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Reference Link : cyberizm.org/cyberizm-mybb-changuondyu-kritik-chatbox-acigi.html

############################################################################

# Description about Software :
***************************
ChangUonDyU - Extra File Chatbox is a MyBB plugin used for live chatting with other users on the forum.

####################################################################

# Impact :
***********
* The software does not neutralize or incorrectly neutralizes "javascript:" or other URIs from

dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

* The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

* The software does not neutralize or incorrectly neutralizes user-controllable input before

it is placed in output that is used as a web page that is served to other users.

Cross-site scripting (XSS) vulnerabilities occur when:
***********************************************
1. Untrusted data enters a web application, typically from a web request.

2. The web application dynamically generates a web page that contains this untrusted data.

3. During page generation, the application does not prevent the data from containing content that is

executable by a web browser, such as JavaScript, HTML tags,

HTML attributes, mouse events, Flash, ActiveX, etc.

4. A victim visits the generated web page through a web browser, which contains

malicious script that was injected using the untrusted data.

5. Since the script comes from a web page that was sent by the web server, the victim's

web browser executes the malicious script in the context of the web server's domain.

6. This effectively violates the intention of the web browser's same-origin policy, which

states that scripts in one domain should not be able to access resources or run code in a different domain.

There are three main kinds of XSS:
******************************

Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and
reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes
a victim to supply dangerous content to a vulnerable web application, which is then reflected
back to the victim and executed by the web browser. The most common mechanism for
delivering malicious content is to include it as a parameter in a URL that is posted publicly
or e-mailed directly to the victim. URLs constructed in this manner constitute the core of
many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers
to a vulnerable site. After the site reflects the attacker's content back to the victim,
the content is executed by the victim's browser.

Type 2: Stored XSS (or Persistent) - The application stores dangerous data in a database,
message forum, visitor log, or other trusted data store. At a later time, the dangerous
data is subsequently read back into the application and included in dynamic content.
From an attacker's perspective, the optimal place to inject malicious content is in an area
that is displayed to either many users or particularly interesting users.
Interesting users typically have elevated privileges in the application or interact with
sensitive data that is valuable to the attacker. If one of these users executes malicious content,
the attacker may be able to perform privileged operations on behalf of the user or gain access
to sensitive data belonging to the user. For example, the attacker might inject XSS into
a log message, which might not be handled properly when an administrator views the logs.

Type 0: DOM-Based XSS - In DOM-based XSS, the client performs the injection of
XSS into the page; in the other types, the server performs the injection. DOM-based XSS
generally involves server-controlled, trusted script that is sent to the client, such as
Javascript that performs sanity checks on a form before the user submits it.
If the server-supplied script processes user-supplied data and then injects it
back into the web page (such as with dynamic HTML), then DOM-based XSS is possible.

############################################################################

Vulnerable File :
******************
[VULNERABLESITE]/chatbox/message.php

Vulnerable Source Code :
**********************
54: $shout['color'] = strip_tags($shout['color']);
55: $shout['font'] = strip_tags($shout['font']);

Example Dangerous JavaScript Code :
********************************
' size=99 onmouseover=document.write(atob('aHR0cHM6Ly93d3cuY3liZXJpem0ub3JnLw====')); a='asd

Encode and Decode URL Links:
****************************
base64encode.org
base64decode.org

Vulnerability Area :
****************
[VULNERABLESITE]/chatbox/index.php

Cross Site Scripting XSS Exploit :
*****************************
[VULNERABLESITE]/chatbox/archive.php?page=[XSS]

# Example XSS Payload :
************************
<marquee>XSS-Vulnerability-Discoverd-By-KingSkrupellos</marquee>

Proof of Concept :
*****************
Create a new thread with the following payload as the title <svg onload=alert('XSS')>

The alert will appear on the index page

# Solution to Fix this Bug :
************************
Now - Find chatbox folder/config.php - Find the codes below

$config['forumlink'] = 'domain1.net/forum,domain2.com'; //Forum url

Here is the link which domain should be run. We will edit this file like this.
For example ; We can enter forum.[VULNERABLESITE].gov and [VULNERABLESITE].gov/FORUM

$config['forumlink'] = '[VULNERABLESITE].com/forum,forum.[VULNERABLESITE].com'; //Forum url

If the domain is unique - so we change this file like this ;

$config['forumlink'] = '[VULNERABLESITE].com'; //Forum url

Then

$config['chatboxkey'] = 'your_chatbox_key'; // ChatboxKey

Find this chatbox key. It should be longer. Nobody should guess it. Note this key somewhere. Then find this codes.

$config['check_domain_reffer'] = false; // Check reffer url
$config['check_chatbox_key'] = false; // check ChatboxKey

Change with this codes.

$config['check_domain_reffer'] = true; // Check reffer url
$config['check_chatbox_key'] = true; // check ChatboxKey

Then save the file.

Then => Administration Panel => Settings => Forum Settings => ChangUonDyU Chatbox Extensions => Enter here your [ your_chatbox_key ] and save it.

If you want to change [ Access Denied (Invaild ChatboxKey or URL) ] keywords. Go to the config.php and save this file however you wish.

$phrase['accessdenied'] = "<b>Access Denied (Invaild ChatboxKey or URL)</b>";

That's all. The Bug has been fixed.

############################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

############################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close