Full Disclosure mailing list archives
Multiple vulnerabilities in MyBB
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 22 Apr 2011 19:21:55 +0300
Hello list! I want to warn you about Information Leakage, Abuse of Functionality, Insufficient Anti-automation and Brute Force vulnerabilities in MyBB. ------------------------- Affected products: ------------------------- Vulnerable are MyBB 1.6.3 and previous versions. In recently released versions MyBB 1.6.3 and 1.4.16 the developers denied to fix these vulnerabilities. ---------- Details: ---------- Information Leakage (WASC-13): Logins are names of the users at the forum (and so it's possible to reveal logins at forum's pages). Abuse of Functionality (WASC-42): Login enumeration is possible in these functionalities - by id it's possible to reveal all logins: http://site/member.php?action=profile&uid=1 http://site/member.php?action=activate&uid=1 Abuse of Functionality (WASC-42): http://site/member.php?action=login If to enter incorrect login and password and correct login and incorrect password, then in second case the captcha shows. Which allows to reveal logins (at that this process can be automated, because it doesn't protected by captcha). Insufficient Anti-automation (WASC-21): http://site/member.php?action=activate&uid=1 http://site/member.php?action=lostpw These functionalities have no protection from automated attacks (captcha). Brute Force (WASC-11): In login form (http://site/member.php?action=login) the vulnerable captcha is used, which shows after unsuccessful authentication attempt. For bypassing of captcha the session reusing with constant captcha bypass method is used, which described in my project Month of Bugs in Captchas (http://websecurity.com.ua/1551/). ------------ Timeline: ------------ 2011.03.12 - announced at my site. 2011.03.16 - informed developers. 2011.04.17 - developers didn't fix these vulnerabilities in released versions MyBB 1.6.3 and 1.4.16. 2011.04.21 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4999/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple vulnerabilities in MyBB MustLive (Apr 22)
- Re: Multiple vulnerabilities in MyBB Andrew Farmer (Apr 23)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 25)
- Re: Multiple vulnerabilities in MyBB Zach C. (Apr 25)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 27)
- Re: Multiple vulnerabilities in MyBB Zach C. (Apr 27)
- Insect Pro - Advisory 2011 0427 Persistent Cross-Site Scripting (XSS) in xMatters AlarmPoint Juan Sacco (Apr 28)
- Re: Multiple vulnerabilities in MyBB MustLive (Apr 25)
- Re: Multiple vulnerabilities in MyBB Andrew Farmer (Apr 23)