MyBB < 1.8.7 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9275

Synopsis

The remote web server is running a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of MyBB (MyBulletinBoard) prior to 1.8.7 are affected by the following vulnerabilities :

- A flaw in the moderation tool does not properly sanitize user-supplied input before using it in SQL queries allowing a remote attacker to inject or manipulate SQL queries in the back-end database, leading to the manipulation or disclosure of arbitrary data.
- A flaw exists in the 'newreply.php' script due to a missing permission check allowing an attacker to perform unspecified actions without the appropriate permissions.
- Multiple flaws exist because the program does not validate input before returning it to users, allowing a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- An unspecified flaw may allow an attacker to gain access to potentially sensitive database details through templates.
- A flaw exists when sending mails from ACP that may allow a remote attacker to disclose the software's ACP path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- A flaw exists due to the program using insufficient entropy for 'adminsid' and 'sid' resulting in the predictable generation of values.
- An unspecified flaw in ACP may allow a context-dependent attacker to conduct a clickjacking attack.
- A flaw exists due to a lack of directory listing protection mechanisms for uploaded directories allowing a remote attacker to gain unauthorized access to information about directories.
- A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'forumdisplay.php' script not properly sanitizing user-supplied input to the 'threadsperpage' setting before using it in SQL queries. This may allow an authenticated, remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input to forum post attachments before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade30.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the '/Upload/search.php' script does not validate input to error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade3.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade12.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade13.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a reflected XSS attack. This flaw exists because the 'upgrade30.php' script does not validate input to the 'ipstart' POST parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows a stored XSS attack. This flaw exists because the '/Upload/modcp.php' script does not validate input to user signatures before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to MyBB version 1.8.7 or later.

See Also

https://github.com/mybb/docs.mybb.com/blob/gh-pages/versions/1.8.7.md

Plugin Details

Severity: High

ID: 9275

Family: CGI

Published: 4/20/2016

Updated: 3/6/2019

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Patch Publication Date: 3/11/2016

Vulnerability Publication Date: 3/11/2016