Detections
Analytics

MyBB < 1.8.7 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9275

Synopsis

The remote web server is running a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of MyBB (MyBulletinBoard) prior to 1.8.7 are affected by the following vulnerabilities :

 - A flaw in the moderation tool does not properly sanitize user-supplied input before using it in SQL queries allowing a remote attacker to inject or manipulate SQL queries in the back-end database, leading to the manipulation or disclosure of arbitrary data.
 - A flaw exists in the 'newreply.php' script due to a missing permission check allowing an attacker to perform unspecified actions without the appropriate permissions.
 - Multiple flaws exist because the program does not validate input before returning it to users, allowing a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - An unspecified flaw may allow an attacker to gain access to potentially sensitive database details through templates.
 - A flaw exists when sending mails from ACP that may allow a remote attacker to disclose the software's ACP path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
 - A flaw exists due to the program using insufficient entropy for 'adminsid' and 'sid' resulting in the predictable generation of values.
 - An unspecified flaw in ACP may allow a context-dependent attacker to conduct a clickjacking attack.
 - A flaw exists due to a lack of directory listing protection mechanisms for uploaded directories allowing a remote attacker to gain unauthorized access to information about directories.
 - A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'forumdisplay.php' script not properly sanitizing user-supplied input to the 'threadsperpage' setting before using it in SQL queries. This may allow an authenticated, remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
 - A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input to forum post attachments before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade30.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows a reflected XSS attack. This flaw exists because the '/Upload/search.php' script does not validate input to error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade3.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade12.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade13.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade30.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows a stored XSS attack. This flaw exists because the '/Upload/modcp.php' script does not validate input to user signatures before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to MyBB version 1.8.7 or later.

See Also

https://github.com/mybb/docs.mybb.com/blob/gh-pages/versions/1.8.7.md

Plugin Details

Severity: High

ID: 9275

Family: CGI

Published: 4/20/2016

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Patch Publication Date: 3/11/2016

Vulnerability Publication Date: 3/11/2016