Full Disclosure mailing list archives
Re: Multiple vulnerabilities in MyBB
From: Andrew Farmer <andfarm () gmail com>
Date: Sat, 23 Apr 2011 12:32:56 -0700
On 2011-04-22, at 09:21, MustLive wrote:
Information Leakage (WASC-13): Logins are names of the users at the forum (and so it's possible to reveal logins at forum's pages).
You're kidding, right? Revealing the names of forum users is practically core functionality. There's no expectation whatsoever that they be kept secret - they're displayed all over the site, and a member list (giving you the ability to download ALL USER NAMES ON THE FORUM OMG) is enabled by default.
Insufficient Anti-automation (WASC-21): http://site/member.php?action=activate&uid=1 http://site/member.php?action=lostpw These functionalities have no protection from automated attacks (captcha).
The first one requires an activation code sent by email. I suppose you could *try* to brute-force it, but you'd probably have better luck brute-forcing the password on the email address you sent the activation to. The second one... well, I suppose you could use it to try to determine whether email addresses belong to anyone on the forum, or send annoying password reset emails, but adding a CAPTCHA wouldn't really change that much. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple vulnerabilities in MyBB MustLive (Apr 22)
- Re: Multiple vulnerabilities in MyBB Andrew Farmer (Apr 23)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 25)
- Re: Multiple vulnerabilities in MyBB Zach C. (Apr 25)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 27)
- Re: Multiple vulnerabilities in MyBB Zach C. (Apr 27)
- Insect Pro - Advisory 2011 0427 Persistent Cross-Site Scripting (XSS) in xMatters AlarmPoint Juan Sacco (Apr 28)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 25)
- Re: Multiple vulnerabilities in MyBB Andrew Farmer (Apr 23)