MyBB < 1.6.18 / 1.8.x < 1.8.6 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9124

Synopsis

The remote web server is running a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of MyBB (MyBulletinBoard) prior to 1.6.18, or 1.8.x prior to 1.8.6 are affected by the following vulnerabilities :

- An unspecified flaw exists in the 'xmlhttp.php' script that may allow a remote attacker to bypass authentication mechanisms for the forum. No further details have been provided by the vendor.
- A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'Grouppromotions' Module (ACP) not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A cross-site scripting (XSS) flaw exists because the error handler does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A XSS flaw exists because the program does not validate input related to old upgrade files before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists related to error log files that may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- A flaw exists as HTTP requests to 'member.php' do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to log in via an attacker-controlled account.

Solution

Upgrade to MyBB version 1.6.17 / 1.8.5 or later.

See Also

https://github.com/mybb/docs.mybb.com/blob/gh-pages/versions/1.6.18.md

https://github.com/mybb/docs.mybb.com/blob/gh-pages/versions/1.8.6.md

Plugin Details

Severity: Critical

ID: 9124

Family: CGI

Published: 3/3/2016

Updated: 3/6/2019

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Patch Publication Date: 9/7/2015

Vulnerability Publication Date: 9/7/2015