The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: Multiple SQL Injection vulnerabilities in MyBB
Name: TKADV2005-12-001
Revision: 1.0
Release Date: 2005/12/23
Last Modified: 2005/12/23
Date Reported: 2005/11/07
Author: Tobias Klein (tk at trapkit.de)
Affected Software: MyBB (all versions <= MyBB PR2 Rev.686)
Risk: Critical (x) High ( ) Medium ( ) Low ( )
Vendor URL: http://www.mybboard.com/
Vendor Status: Vendor has released an updated version
=========
Overview:
=========
MyBB is a powerful, efficient and free forum package developed in
PHP and MySQL.
Version MyBB PR2 Rev.686 and prior contain multiple SQL Injection
vulnerabilities.
======================
Vulnerability details:
======================
Some of the following vulnerabilities can be successfully exploited
by every anonymous guest user of MyBB. To exploit the other issues
a registered user account is needed. Because of that all
vulnerabilities are rated with a high probability of occurrence.
Every single SQL injection issue that is described in the following
allows a full compromise of a MyBB installation (f.e. steal or
[re]set the administrator password). PoC code has been developed
but won't be released to the public.
For a description of the calculation of the resulting threat of a
vulnerability see reference [3].
[1] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any anonymous
guest user of MyBB.
Vulnerable URL:
[path_to_mybb]/calendar.php?action=addevent
Vulnerable POST parameter: month
Proof of Concept (POST request):
POST [path_to_mybb]/calendar.php HTTP/1.1
Parameter | Value
--------------------------------
month | 11[SQL]
day | 11
year | 2005
subject | test
description | test
action | do_addevent
[2] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any anonymous
guest user of MyBB.
Vulnerable URL:
[path_to_mybb]/calendar.php?action=addevent
Vulnerable POST parameter: day
Proof of Concept (POST request):
POST [path_to_mybb]/calendar.php HTTP/1.1
Parameter | Value
--------------------------------
month | 11
day | 11[SQL]
year | 2005
subject | test
description | test
action | do_addevent
[3] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any anonymous
guest user of MyBB.
Vulnerable URL:
[path_to_mybb]/calendar.php?action=addevent
Vulnerable POST parameter: year
Proof of Concept (POST request):
POST [path_to_mybb]/calendar.php HTTP/1.1
Parameter | Value
--------------------------------
month | 11
day | 11
year | 2005[SQL]
subject | test
description | test
action | do_addevent
[4] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any registered
user of MyBB.
Vulnerable URL:
[path_to_mybb]/usercp.php?action=options
Vulnerable POST parameter: threadmode
Proof of Concept (POST request):
POST [path_to_mybb]/usercp.php HTTP/1.1
Parameter | Value
--------------------------------
allownotices | yes
emailnotify | yes
receivepms | yes
pmpopup | yes
pmnotify | yes
dateformat |
timeformat |
timezoneoffset | 0
tpp |
daysprune |
ppp |
threadmode | [SQL]
showcodebuttons | 1
style | 0
language |
action | do_options
regsubmit | Update Options
[5] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any registered
user of MyBB.
Vulnerable URL:
[path_to_mybb]/usercp.php?action=options
Vulnerable POST parameter: showcodebuttons
Proof of Concept (POST request):
POST [path_to_mybb]/usercp.php HTTP/1.1
Parameter | Value
--------------------------------
allownotices | yes
emailnotify | yes
receivepms | yes
pmpopup | yes
pmnotify | yes
dateformat |
timeformat |
timezoneoffset | 0
tpp |
daysprune |
ppp |
threadmode |
showcodebuttons | 1[SQL]
style | 0
language |
action | do_options
regsubmit | Update Options
[6] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any registered
user of MyBB.
Vulnerable URL:
[path_to_mybb]/usercp.php?action=editlists
Vulnerable POST parameter: list
Proof of Concept (POST request):
POST [path_to_mybb]/usercp.php HTTP/1.1
Parameter | Value
--------------------------------
listuser%5B1%5D | admin
listuser%5Bnew1%5D |
listuser%5Bnew2%5D |
action | do_editlists
list | buddy[SQL]
submit | Update Buddy List
[7] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any registered
user of MyBB.
Vulnerable URL:
[path_to_mybb]/member.php?action=rate&uid=1
Vulnerable POST parameter: rating
Proof of Concept (POST request):
POST [path_to_mybb]/member.php HTTP/1.1
Parameter | Value
--------------------------------
rating | 5[SQL]
action | do_rate
uid | 1
[8] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any registered
user of MyBB.
Vulnerable URL:
[path_to_mybb]/showthread.php?tid=1
Vulnerable POST parameter: rating
Proof of Concept (POST request):
POST [path_to_mybb]/ratethread.php HTTP/1.1
Parameter | Value
--------------------------------
rating | 5[SQL]
tid | 1
=========
Solution:
=========
Upgrade to MyBB 1.0 or newer.
http://www.mybboard.com/downloads.php
========
History:
========
2005/11/07 - Vendor notified
2005/11/07 - Vendor response
2005/11/15 - Contacted vendor regarding status report
2005/11/16 - Vendor response
2005/12/04 - Contacted vendor regarding status report
2005/12/06 - Vendor response
2005/12/09 - Release of new MyBB version
2005/12/09 - Patch notification released
2005/12/23 - Full technical details released to general public
========
Credits:
========
Vulnerabilities found and advisory written by Tobias Klein.
===========
References:
===========
[1] http://community.mybboard.net/showthread.php?tid=5184
[2] http://www.trapkit.de/advisories/TKADV2005-12-001.txt
[3] http://www.trapkit.de/advisories/TKPN2005-12-001.txt
[4] http://www.trapkit.de/advisories/TKADVcortav.txt
========
Changes:
========
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
===========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
==================
PGP Signature Key:
==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2005 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQ6xPFZF8YHACG4RBEQJx1QCfdFspLw8epNGeZXzNLfxVcbpP4fIAoL/c
Yj40PaAEeU82FFSNBUBbtVcF
=Tb+B
-----END PGP SIGNATURE-----
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum