MyBB < 1.6.18 / 1.8.x < 1.8.6 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9124

Synopsis

The remote web server is running a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of MyBB (MyBulletinBoard) prior to 1.6.18, or 1.8.x prior to 1.8.6 are affected by the following vulnerabilities :

- An unspecified flaw exists in the 'xmlhttp.php' script that may allow a remote attacker to bypass authentication mechanisms for the forum. No further details have been provided by the vendor. (OSVDB 127289)
- A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'Grouppromotions' Module (ACP) not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (OSVDB 127290)
- A cross-site scripting (XSS) flaw exists because the error handler does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 127291)
- A XSS flaw exists because the program does not validate input related to old upgrade files before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 127292)
- A flaw exists related to error log files that may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. (OSVDB 127293)
- A flaw exists as HTTP requests to 'member.php' do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to log in via an attacker-controlled account. (OSVDB 144501)

Solution

Upgrade to MyBB version 1.6.17 / 1.8.5 or later.

See Also

https://github.com/mybb/docs.mybb.com/blob/gh-pages/versions/1.6.18.md

https://github.com/mybb/docs.mybb.com/blob/gh-pages/versions/1.8.6.md

Plugin Details

Severity: Critical

ID: 9124

File Name: 9124.prm

Family: CGI

Published: 2016/03/03

Modified: 2016/12/12

Dependencies: 9126

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Patch Publication Date: 2015/09/07

Vulnerability Publication Date: 2015/09/07