oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: MyBB 1.8.3 & 1.6.16 security releases

From: Henri Salo <henri () nerv fi>
Date: Wed, 10 Dec 2014 21:23:28 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can I get multiple CVEs for issues fixed in MyBB 1.8.3 & 1.6.16, thank you.

http://blog.mybb.com/2014/11/20/mybb-1-8-3-1-6-16-released-security-releases/

1.8.3

"""
The vulnerabilities are:
    High Risk: A SQL injection vulnerability in theme selection (reported by StefanT)
    Medium Risk: A XSS vulnerability in calender.php (reported by -Acid)
    Medium Risk: A XSS vulnerability in MyCode editor (reported by My-BB.Ir)
    Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
    Low Risk: unserialize may call PHP magic methods (reported by chtg)
    Low Risk: PHP setting request_order can break register globals handling (reported by chtg)

Additionally we’ve fixed an issue with the video MyCode introduced with MyBB
1.8.2 (#1625) and revised the handling of data fetched from our website as a
direct consequence of the compromised GitHub account (#1617). In addition to
that, we’ve set the adminsid cookie as httpOnly (#1622). We also plan to add
enhanced options to protect the Admin CP like two factor authentication with one
of the next maintenance releases.
"""

1.6.16

"""
The vulnerabilities are:

    Low Risk: A XSS vulnerability related to post icons (reported by Destroy666)
    Low Risk: A XSS vulnerability in admin/modules/style/templates.php
    Low Risk: A XSS vulnerability in admin/modules/config/languages.php
    Low Risk: unserialize may call magic methods (reported by chtg)
    Low Risk: request_order can break register globals handling (reported by chtg)

Additionally we’ve revised the handling of data fetched from our website as a
direct consequence of the compromised GitHub account (#1617). In addition to
that, we’ve set the adminsid cookie as httpOnly (#1622).
"""

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlSInbAACgkQXf6hBi6kbk+HHwCgxg2yCr90kZnJRyuuEEagOJYS
P64AnjRISYE3GfVkpHNkLpYCtwkoqB6O
=HciC
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: