MyBB < 1.8.4 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 8656

Synopsis

The remote web server is running a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of MyBB (MyBulletinBoard) prior to 1.8.4 are affected by the following vulnerabilities :

- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'member.php' script does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 118516)
- A flaw exists that allows a XSS attack. This flaw exists because the MyCode editor does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 118517)
- A flaw exists related to ACP login as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to have an unspecified impact, though it is presumably related to the ACP login funtionality. (OSVDB 118519)
- A flaw exists that is triggered as group join request notifications are sent to the wrong group leaders. This may allow a remote attacker to gain access to potentially sensitive information. (OSVDB 118520)
- A flaw exists in the cache handler that is triggered as 'var_export' is used without encoding checks. This may allow an attacker to have an unspecified impact. (OSVDB 118521)
- A flaw exists in the JSON library that may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. (OSVDB 118522)
- Multiple flaws exist that allow stored XSS attacks in the following scripts :
/admin/modules/config/mycode.php (OSVDB 118909)
/admin/modules/user/groups.php (OSVDB 118911)
/admin/modules/style/templates.php (OSVDB 118912)
/admin/modules/tools/tasks.php (OSVDB 118913)
/admin/modules/config/post_icons.php (OSVDB 118914)
/admin/modules/config/banning.php (OSVDB 118916)
/admin/modules/user/users.php (OSVDB 138135)
These flaws exist because the input is not validated for various fields when creating and editing users before returning it to users. This may allow an authenticated, remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to MyBB version 1.8.4 or higher.

See Also

http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release

Plugin Details

Severity: High

ID: 8656

File Name: 8656.prm

Family: CGI

Published: 2015/03/30

Modified: 2016/12/12

Dependencies: 9126

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Patch Publication Date: 2015/02/15

Vulnerability Publication Date: 2015/02/15

Reference Information

CVE: CVE-2014-3826, CVE-2014-3827, CVE-2015-2149, CVE-2015-2332, CVE-2015-2333, CVE-2015-2334, CVE-2015-2335, CVE-2015-2352, CVE-2015-2786

BID: 72738, 73212, 73213, 73214, 73216, 73257, 73394