MyBB < 1.8.7 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9275

Synopsis

The remote web server is running a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of MyBB (MyBulletinBoard) prior to 1.8.7 are affected by the following vulnerabilities :

- A flaw in the moderation tool does not properly sanitize user-supplied input before using it in SQL queries allowing a remote attacker to inject or manipulate SQL queries in the back-end database, leading to the manipulation or disclosure of arbitrary data. (OSVDB 135915)
- A flaw exists in the 'newreply.php' script due to a missing permission check allowing an attacker to perform unspecified actions without the appropriate permissions. (OSVDB 135916)
- Multiple flaws exist because the program does not validate input before returning it to users, allowing a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 135917, OSVDB 135918, OSVDB 135919, OSVDB 135920, OSVDB 135921, OSVDB 135922)
- An unspecified flaw may allow an attacker to gain access to potentially sensitive database details through templates. (OSVDB 135923)
- A flaw exists when sending mails from ACP that may allow a remote attacker to disclose the software's ACP path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. (OSVDB 135924)
- A flaw exists due to the program using insufficient entropy for 'adminsid' and 'sid' resulting in the predictable generation of values. (OSVDB 135925)
- An unspecified flaw in ACP may allow a context-dependent attacker to conduct a clickjacking attack. (OSVDB 135926)
- A flaw exists due to a lack of directory listing protection mechanisms for uploaded directories allowing a remote attacker to gain unauthorized access to information about directories. (OSVDB 135927)
- A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'forumdisplay.php' script not properly sanitizing user-supplied input to the 'threadsperpage' setting before using it in SQL queries. This may allow an authenticated, remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (OSVDB 144502)
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input to forum post attachments before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 148589)
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade30.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 148590)
- A flaw exists that allows a reflected XSS attack. This flaw exists because the '/Upload/search.php' script does not validate input to error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 148591)
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade3.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 148592)
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade12.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 148593)
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade13.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 148594)
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade30.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 148595)
- A flaw exists that allows a stored XSS attack. This flaw exists because the '/Upload/modcp.php' script does not validate input to user signatures before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 148596)

Solution

Upgrade to MyBB version 1.8.7 or later.

See Also

https://github.com/mybb/docs.mybb.com/blob/gh-pages/versions/1.8.7.md

Plugin Details

Severity: High

ID: 9275

Family: CGI

Published: 2016/04/20

Modified: 2017/01/06

Dependencies: 9126

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Patch Publication Date: 2016/03/11

Vulnerability Publication Date: 2016/03/11