Re: [Full-disclosure] Multiple vulnerabilities in MyBB



I had another question too -- this one a bit more general. With services
like deathbycaptcha, could CAPTCHA itself now be considered insufficient
anti-automation, and how would you address that?

On Apr 25, 2011 11:59 AM, "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx> wrote:
Hello Andrew!

You're kidding, right?

No, I'm serious - as I'm always serious when talk about vulnerabilities.

Revealing the names of forum users is practically core functionality.

Of course it's core functionality. But the hole, as I exactly wrote in my
advisory, is in revealing of logins. So issue is laying in using logins as
a
names, so in result the showing names at different parts of the forum is
leading to leakage of logins. It's quite widespread in forum engines and
other webapps to disclose their logins (via different Information Leakage
and Abuse of Functionality holes) as nothing important. Some CMS like
Drupal
even have official answer concerning this issue
(http://drupal.org/node/1004778). From my side, I've informed Drupal
developers about 8 login leakage holes which I found (in Drupal 6, new 7
version must have them all, because of developers' ignoring of this issue)
and gave them recommendations why and how to fix such holes to not reveal
logins and to preserve Drupal's philosophy.

Many forums (almost all) have similar login leakage vulnerabilities. For
example IPB and Vbulletin, which developers I've informed about them in
2009. Like I informed many other developers and admins about such holes,
beside developers of MyBB (which ignored to fix them, as many like to do).

I saw a lot of such vulnerabilities for more then six years. And in 2008 I
started to write about them at my site (like about holes in WordPress),
wrote article Enumerating logins via Abuse of Functionality
vulnerabilities
(http://websecurity.com.ua/2840/) and starting from 2009 I've begun
actively
fighting with them - by informing many admins and developers about such
vulnerabilities. In my practice most web developers and admins of sites
ignored such holes, but there were those who fixed them. For example
developers of IPB, which have such holes in IPB 1 and 2, after my
informing
(at begging of 2009) fixed all such holes in their engine in IPB 3 (it
have
released in summer 2009). It must be obvious why I'm using Invision Power
Board as engine for my forum for more then 6 years.

The first one requires an activation code sent by email.

This IAA hole can be used for automatic registration. Altogether with IAA
hole at registration page. To put captcha to first or to second or to both
of the pages - it's up to developers. But the protection must be reliable.

Plus they have login leakage in this functionality. I've informed
developers
of MyBB about all (which I found at brief looking at this engine) login
leakage vulnerabilities.

The second one

This functionality with IAA allows spammers to identify valid e-mails of
existing forum users and also allows to spam registered users from the
forum
with "password recovery" letters. Both of which can be easily mitigated by
installing captcha at this functionality.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message -----
From: "Andrew Farmer" <andfarm@xxxxxxxxx>
To: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
Cc: "Full Disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Saturday, April 23, 2011 10:32 PM
Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB


On 2011-04-22, at 09:21, MustLive wrote:
Information Leakage (WASC-13):

Logins are names of the users at the forum (and so it's possible to
reveal
logins at forum's pages).

You're kidding, right?

Revealing the names of forum users is practically core functionality.
There's no expectation whatsoever that they be kept secret - they're
displayed all over the site, and a member list (giving you the ability to
download ALL USER NAMES ON THE FORUM OMG) is enabled by default.


Insufficient Anti-automation (WASC-21):

http://site/member.php?action=activate&uid=1

http://site/member.php?action=lostpw

These functionalities have no protection from automated attacks
(captcha).

The first one requires an activation code sent by email. I suppose you
could
*try* to brute-force it, but you'd probably have better luck brute-forcing
the password on the email address you sent the activation to.

The second one... well, I suppose you could use it to try to determine
whether email addresses belong to anyone on the forum, or send annoying
password reset emails, but adding a CAPTCHA wouldn't really change that
much.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Multiple vulnerabilities in MyBB
    ... Multiple vulnerabilities in MyBB ... is in revealing of logins. ... > and Abuse of Functionality holes) as nothing important. ... > version must have them all, because of developers' ignoring of this issue) ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Multiple vulnerabilities in MyBB
    ... I'm serious - as I'm always serious when talk about vulnerabilities. ... is in revealing of logins. ... and Abuse of Functionality holes) as nothing important. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Multiple vulnerabilities in MyBB
    ... I'm serious - as I'm always serious when talk about vulnerabilities. ... So issue is laying in using logins as ... Many forums have similar login leakage vulnerabilities. ... Board as engine for my forum for more then 6 years. ...
    (Full-Disclosure)
  • Re: Splitting Granite
    ... > Todd Fatheree wrote: ... >> As long as you're already drilling the holes, why not get a set of wedges ... >> pneumatic drill with a special bit that had a hole in it that compressed ... This is a woodworking forum. ...
    (rec.woodworking)
  • Re: [Full-disclosure] Multiple vulnerabilities in MyBB
    ... Logins are names of the users at the forum (and so it's possible to reveal ... These functionalities have no protection from automated attacks. ... well, I suppose you could use it to try to determine whether email addresses belong to anyone on the forum, or send annoying password reset emails, but adding a CAPTCHA wouldn't really change that much. ...
    (Full-Disclosure)