mybb 1.6.x multiple vurlnerabilitys - by unnex
#
###
## ##
### ###
### ###
######################
########################
### ### #### ####
## ### ### ####
##### #######
### ###### ###### ###
###### ######## ####### #######
###### ######### ######### #######
##### #### ######### ##### ####
##### ##### ####### ##### ####
########### ##### ###########
######### ## #########
##### #####
-----------------------------------
tested on mybb 1.6.6 & 1.6.7.
download: http://www.mybb.com/downloads
xss
full path dosclourse
sql infomation disclourse
---mybb 1.6.x(106x) multiple vulnerabilities---
---xss onclick event---
bug in: modcp.php on line 2714. the output from post and get parameter "ipaddress" in onclick event allow xss. your output in the javscript function MyBB.popupWindow can contain '. a attacker can close the function and use another functions or commands to execute javascript. it's a xss-clickjacking vurlnerable. attackers can send the poc as post or get paramter in any iframe or anything to hide the window and force the moderator or admin to click the xss link.
(using with clickjacking in iframe (opacity) to obfuscate the link and show aanything as the link... etc...) (you dont need a token to execute it. also normaly members can use this xss attack to mods and admins)
onclick: (Information on This IP Address)
fix: modcp.php on line 2714. replace: $misc_info_link = "<div class=\"float_right\">(<a href=\"modcp.php?action=iplookup&ipaddress=".htmlspecialchars_uni($mybb->input['ipaddress'])."\" onclick=\"MyBB.popupWindow('{$mybb->settings['bburl']}/modcp.php?action=iplookup&ipaddress=".htmlspecialchars_uni($mybb->input['ipaddress'])."', 'iplookup', 500, 250); return false;\">{$lang->info_on_ip}</a>)</div>"; #with: $misc_info_link = "<div class=\"float_right\">(<a href=\"modcp.php?action=iplookup&ipaddress=".htmlspecialchars_uni($mybb->input['ipaddress'])."\" onclick=\"MyBB.popupWindow('{$mybb->settings['bburl']}/modcp.php?action=iplookup&ipaddress=".htmlspecialchars_uni(preg_replace("/'/" ,"'", $mybb->input['ipaddress']))."', 'iplookup', 500, 250); return false;\">{$lang->info_on_ip}</a>)</div>";
---full path disclourse (wild php error)---
bug in: private.php. the php error is coming with any given unsuported operand in the post parameter "daycut". you have to send the post parameter daycut as a array and the error will be coming.
random result: Fatal error: Unsupported operand types in /var/www/web012/html/mypage/private.php on line 1659
fix: open private.php on line 1659 and add is_int($mybb->input['daycut']) in your if statemant: if($mybb->input['daycut'] && is_int($mybb->input['daycut']) && ($mybb->input['dayway'] != "disregard"))
---sql infomation disclourse (sql error)---
bug in: usercp.php on line 1104. you recieve a error by giving unsupportet charackters and using a exist username in the post parameter "username". the script like to update the fake username with unsupportet charakter. the result is a error message. like in username(exist username) parameter %99 or anything unsupportet charackters...
fix: usercp.php on line 1104 replace: "username" => $mybb->input['username'] #with: "username" => utf8_encode($mybb->input['username']). or your own encode method. warning: it will save all charackters also crlf etc!
random result: MyBB has experienced an internal SQL error and cannot continue.
SQL Error: 1062 - Duplicate entry 'test' for key 2
Query: UPDATE mybb_users SET `username`='test?' WHERE uid='1'
Please contact the MyBB Group for support.
...notice:
many stored xss in admin panel (create categorie etc...) forum etc...
stored xss in setting and reading moderate user notice etc...
many bugs... dont like to check more in the private range of moderates and admins...
---
greetz unnex
visit: http://blacknet.me & http://hacker-blackbook.de
greetz to: http://forum.mbit.de/
---
diese infotmationen sind nicht fuer kriminelle zwecke gedacht.
Mybb 1.6.x multiple vurlnerabilitys
Über den Autor
Ähnliche Artikel
© ¥akuza112 Inc. 2010 - All rights reserved.