MyBB < 1.8.4 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 8656

Synopsis

The remote web server is running a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of MyBB (MyBulletinBoard) prior to 1.8.4 are affected by the following vulnerabilities :

- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'member.php' script does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a XSS attack. This flaw exists because the MyCode editor does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists related to ACP login as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to have an unspecified impact, though it is presumably related to the ACP login funtionality.
- A flaw exists that is triggered as group join request notifications are sent to the wrong group leaders. This may allow a remote attacker to gain access to potentially sensitive information.
- A flaw exists in the cache handler that is triggered as 'var_export' is used without encoding checks. This may allow an attacker to have an unspecified impact.
- A flaw exists in the JSON library that may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- Multiple flaws exist that allow stored XSS attacks in the following scripts :
/admin/modules/config/mycode.php
/admin/modules/user/groups.php
/admin/modules/style/templates.php
/admin/modules/tools/tasks.php
/admin/modules/config/post_icons.php
/admin/modules/config/banning.php
/admin/modules/user/users.php
These flaws exist because the input is not validated for various fields when creating and editing users before returning it to users. This may allow an authenticated, remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to MyBB version 1.8.4 or higher.

See Also

http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release

Plugin Details

Severity: High

ID: 8656

Family: CGI

Published: 3/30/2015

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Patch Publication Date: 2/15/2015

Vulnerability Publication Date: 2/15/2015

Reference Information

CVE: CVE-2014-3826, CVE-2014-3827, CVE-2015-2149, CVE-2015-2332, CVE-2015-2333, CVE-2015-2334, CVE-2015-2335, CVE-2015-2352, CVE-2015-2786

BID: 72738, 73212, 73213, 73214, 73216, 73257, 73394