Re: Multiple vulnerabilities in MyBB

["MustLive" <mustlive () websecurity com ua>]

Hi Zach!

> So if you try to sign up with a website and it tells you the username is
> already taken, is that a login leakage vulnerability?

Yes, it is. This is one from different variations of login leakage
vulnerabilities.

In my classification of such vulnerabilities I've divided them on two types:
Information Leakage (which leads to leaking of logins) and Abuse of
Functionality (which allows login enumeration attacks. e.g. by bruteforcing
logins).

For example MyBB, as many other web applications (including almost all forum
engines), has both types of login leakage vulnerabilities. MyBB has
Information Leakage by using logins as names and showing them at different
pages of forum. And it has Abuse of Functionality in different
functionalities (such as in register and login functionalities - the most
popular places for login leakages).

Both types of login leakage vulnerabilities are widespread, especially the
second type (on those sites and engines where admins and web developers are
trying to not use logins as a names, there are often happen second type of
such holes). For enumerate logins via second type of such holes I've created 
at beginning of 2008 a tool Brute force login identifier (for pentests and 
security researches). And about second type of such holes I wrote in my 
article Enumerating logins via Abuse of Functionality vulnerabilities.

Also draw attention, as I wrote in my second advisory about MyBB, that at
registration pages there can be different login leakages. As in form
itself, as in AJAX functionality. You can find such AJAX login checkers
(which are vulnerable to login enumeration) at many web sites, especially
large portals - from 2005, when AJAX started to rise, such functionalities
became very popular. In my news I wrote about many sites with such holes,
including Hulu, YouTube, Google and Microsoft live.com. Here is quote from
my advisory with two examples of such Abuse of Functionality holes:

http://site/xmlhttp.php?action=username_availability&value=test

http://site/xmlhttp.php?action=username_exists&value=test

When a site has Information Leakage which leaks logins of the users (like
in case of MyBB), then it's quicker to get them from different pages of the
site. If a site has no such holes, but has such Abuse of Functionality, then
it's possible to enumerate logins by bruteforcing. But when developers of
any webapp are willing to fix such holes, they need to fix all of them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: Zach C.
To: MustLive
Cc: Andrew Farmer ; full-disclosure () lists grok org uk
Sent: Tuesday, April 26, 2011 4:22 AM
Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB


So if you try to sign up with a website and it tells you the username is
already taken, is that a login leakage vulnerability?
Just want to be clear.
On Apr 25, 2011 11:59 AM, "MustLive" <mustlive () websecurity com ua> wrote:
> Hello Andrew!
>
> > You're kidding, right?
>
> No, I'm serious - as I'm always serious when talk about vulnerabilities.
>
> > Revealing the names of forum users is practically core functionality.
>
> Of course it's core functionality. But the hole, as I exactly wrote in my
> advisory, is in revealing of logins. So issue is laying in using logins as
> a
> names, so in result the showing names at different parts of the forum is
> leading to leakage of logins. It's quite widespread in forum engines and
> other webapps to disclose their logins (via different Information Leakage
> and Abuse of Functionality holes) as nothing important. Some CMS like
> Drupal
> even have official answer concerning this issue
> (http://drupal.org/node/1004778). From my side, I've informed Drupal
> developers about 8 login leakage holes which I found (in Drupal 6, new 7
> version must have them all, because of developers' ignoring of this issue)
> and gave them recommendations why and how to fix such holes to not reveal
> logins and to preserve Drupal's philosophy.
>
> Many forums (almost all) have similar login leakage vulnerabilities. For
> example IPB and Vbulletin, which developers I've informed about them in
> 2009. Like I informed many other developers and admins about such holes,
> beside developers of MyBB (which ignored to fix them, as many like to do).
>
> I saw a lot of such vulnerabilities for more then six years. And in 2008 I
> started to write about them at my site (like about holes in WordPress),
> wrote article Enumerating logins via Abuse of Functionality
> vulnerabilities
> (http://websecurity.com.ua/2840/) and starting from 2009 I've begun
> actively
> fighting with them - by informing many admins and developers about such
> vulnerabilities. In my practice most web developers and admins of sites
> ignored such holes, but there were those who fixed them. For example
> developers of IPB, which have such holes in IPB 1 and 2, after my
> informing
> (at begging of 2009) fixed all such holes in their engine in IPB 3 (it
> have
> released in summer 2009). It must be obvious why I'm using Invision Power
> Board as engine for my forum for more then 6 years.
>
> > The first one requires an activation code sent by email.
>
> This IAA hole can be used for automatic registration. Altogether with IAA
> hole at registration page. To put captcha to first or to second or to both
> of the pages - it's up to developers. But the protection must be reliable.
>
> Plus they have login leakage in this functionality. I've informed
> developers
> of MyBB about all (which I found at brief looking at this engine) login
> leakage vulnerabilities.
>
> > The second one
>
> This functionality with IAA allows spammers to identify valid e-mails of
> existing forum users and also allows to spam registered users from the
> forum
> with "password recovery" letters. Both of which can be easily mitigated by
> installing captcha at this functionality.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/