-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Multiple SQL Injection vulnerabilities in MyBB Name: TKADV2005-12-001 Revision: 1.0 Release Date: 2005/12/23 Last Modified: 2005/12/23 Date Reported: 2005/11/07 Author: Tobias Klein (tk at trapkit.de) Affected Software: MyBB (all versions <= MyBB PR2 Rev.686) Risk: Critical (x) High ( ) Medium ( ) Low ( ) Vendor URL: http://www.mybboard.com/ Vendor Status: Vendor has released an updated version ========= Overview: ========= MyBB is a powerful, efficient and free forum package developed in PHP and MySQL. Version MyBB PR2 Rev.686 and prior contain multiple SQL Injection vulnerabilities. ====================== Vulnerability details: ====================== Some of the following vulnerabilities can be successfully exploited by every anonymous guest user of MyBB. To exploit the other issues a registered user account is needed. Because of that all vulnerabilities are rated with a high probability of occurrence. Every single SQL injection issue that is described in the following allows a full compromise of a MyBB installation (f.e. steal or [re]set the administrator password). PoC code has been developed but won't be released to the public. For a description of the calculation of the resulting threat of a vulnerability see reference [3]. [1] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: POST Vulnerability description: MyBB is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This vulnerability can be successfully exploited by any anonymous guest user of MyBB. Vulnerable URL: [path_to_mybb]/calendar.php?action=addevent Vulnerable POST parameter: month Proof of Concept (POST request): POST [path_to_mybb]/calendar.php HTTP/1.1 Parameter | Value -------------------------------- month | 11[SQL] day | 11 year | 2005 subject | test description | test action | do_addevent [2] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: POST Vulnerability description: MyBB is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This vulnerability can be successfully exploited by any anonymous guest user of MyBB. Vulnerable URL: [path_to_mybb]/calendar.php?action=addevent Vulnerable POST parameter: day Proof of Concept (POST request): POST [path_to_mybb]/calendar.php HTTP/1.1 Parameter | Value -------------------------------- month | 11 day | 11[SQL] year | 2005 subject | test description | test action | do_addevent [3] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: POST Vulnerability description: MyBB is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This vulnerability can be successfully exploited by any anonymous guest user of MyBB. Vulnerable URL: [path_to_mybb]/calendar.php?action=addevent Vulnerable POST parameter: year Proof of Concept (POST request): POST [path_to_mybb]/calendar.php HTTP/1.1 Parameter | Value -------------------------------- month | 11 day | 11 year | 2005[SQL] subject | test description | test action | do_addevent [4] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: POST Vulnerability description: MyBB is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This vulnerability can be successfully exploited by any registered user of MyBB. Vulnerable URL: [path_to_mybb]/usercp.php?action=options Vulnerable POST parameter: threadmode Proof of Concept (POST request): POST [path_to_mybb]/usercp.php HTTP/1.1 Parameter | Value -------------------------------- allownotices | yes emailnotify | yes receivepms | yes pmpopup | yes pmnotify | yes dateformat | timeformat | timezoneoffset | 0 tpp | daysprune | ppp | threadmode | [SQL] showcodebuttons | 1 style | 0 language | action | do_options regsubmit | Update Options [5] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: POST Vulnerability description: MyBB is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This vulnerability can be successfully exploited by any registered user of MyBB. Vulnerable URL: [path_to_mybb]/usercp.php?action=options Vulnerable POST parameter: showcodebuttons Proof of Concept (POST request): POST [path_to_mybb]/usercp.php HTTP/1.1 Parameter | Value -------------------------------- allownotices | yes emailnotify | yes receivepms | yes pmpopup | yes pmnotify | yes dateformat | timeformat | timezoneoffset | 0 tpp | daysprune | ppp | threadmode | showcodebuttons | 1[SQL] style | 0 language | action | do_options regsubmit | Update Options [6] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: POST Vulnerability description: MyBB is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This vulnerability can be successfully exploited by any registered user of MyBB. Vulnerable URL: [path_to_mybb]/usercp.php?action=editlists Vulnerable POST parameter: list Proof of Concept (POST request): POST [path_to_mybb]/usercp.php HTTP/1.1 Parameter | Value -------------------------------- listuser%5B1%5D | admin listuser%5Bnew1%5D | listuser%5Bnew2%5D | action | do_editlists list | buddy[SQL] submit | Update Buddy List [7] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: POST Vulnerability description: MyBB is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This vulnerability can be successfully exploited by any registered user of MyBB. Vulnerable URL: [path_to_mybb]/member.php?action=rate&uid=1 Vulnerable POST parameter: rating Proof of Concept (POST request): POST [path_to_mybb]/member.php HTTP/1.1 Parameter | Value -------------------------------- rating | 5[SQL] action | do_rate uid | 1 [8] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: POST Vulnerability description: MyBB is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This vulnerability can be successfully exploited by any registered user of MyBB. Vulnerable URL: [path_to_mybb]/showthread.php?tid=1 Vulnerable POST parameter: rating Proof of Concept (POST request): POST [path_to_mybb]/ratethread.php HTTP/1.1 Parameter | Value -------------------------------- rating | 5[SQL] tid | 1 ========= Solution: ========= Upgrade to MyBB 1.0 or newer. http://www.mybboard.com/downloads.php ======== History: ======== 2005/11/07 - Vendor notified 2005/11/07 - Vendor response 2005/11/15 - Contacted vendor regarding status report 2005/11/16 - Vendor response 2005/12/04 - Contacted vendor regarding status report 2005/12/06 - Vendor response 2005/12/09 - Release of new MyBB version 2005/12/09 - Patch notification released 2005/12/23 - Full technical details released to general public ======== Credits: ======== Vulnerabilities found and advisory written by Tobias Klein. =========== References: =========== [1] http://community.mybboard.net/showthread.php?tid=5184 [2] http://www.trapkit.de/advisories/TKADV2005-12-001.txt [3] http://www.trapkit.de/advisories/TKPN2005-12-001.txt [4] http://www.trapkit.de/advisories/TKADVcortav.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2005 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQ6xPFZF8YHACG4RBEQJx1QCfdFspLw8epNGeZXzNLfxVcbpP4fIAoL/c Yj40PaAEeU82FFSNBUBbtVcF =Tb+B -----END PGP SIGNATURE-----