Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALH-=7xMt0ejkN5dG+eiGLgKJn+aA7cyZcTrhT46hq0HVMeGiw@mail.gmail.com>
Date: Sat, 21 Feb 2015 13:36:14 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities

Hi Steve, Josh, vendors, list.

The researchers adamziaja, Devilshakerz, DingjieYang and me found multiple
stored XSS-vulnerabilities in the administrative backend of CMS MyBB v.
1.8.3.

The stored XSS-vulnerabilities can be found in different modules in the
following locations of a common MyBB installation:

======================
Module "config-attachment_types"
======================

via form-field MIME-type:

http://{TARGET}/admin/index.php?module=config-attachment_types&action=add

executed in: e.g. http://
{TARGET}/admin/index.php?module=config-attachment_types

===============
Module "config-mycode"
===============

via form fields "title" and "short description":

http://{TARGET}/admin/index.php?module=config-mycode&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=config-mycode

===================
Module "forum-management"
===================

via form field "title":

http://{TARGET}/admin/index.php?module=forum-management&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=forum

==============
Module "user-groups"
==============

via form fields "title" and/or "short description":

http://{TARGET}/admin/index.php?module=user-groups&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=user-groups

================
Module "style-templates"
================

via form field "name":

http://{TARGET}/admin/index.php?module=style-templates&action=add_set

executed in: e.g. http://{TARGET}/admin/index.php?module=style-templates

====================================
Module "style-templates" in action "add_template_group"
====================================

via form field "title":

http://
{TARGET}/admin/index.php?module=style-templates&action=add_template_group

executed in: e.g. http://
{TARGET}/admin/index.php?module=style-templates&sid={TEMPLATES_NUMERIC_ID}

=============
Module "tool-tasks"
=============

via form field "title":

http://{TARGET}/admin/index.php?module=tools-tasks&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

=================
Module "config-post_icons"
=================

via form field "name":

http://{TARGET}/admin/index.php?module=config-post_icons&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

=============
Module "user-titles"
=============

via form field "title to assign":

http://{TARGET}/admin/index.php?module=user-titles&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

================
Module "config-banning"
================

via form field "username":

http://{TARGET}/admin/index.php?module=config-banning&type=usernames

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

Can I have a CVE-ID/CVE-IDs for these issues?

Thank you very much.

Greetings from Germany.

Steffen Rösemann

[1] http://www.mybb.com
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html
[3] http://www.mybb.com/get-involved/security/
[4]
http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/
[5] http://seclists.org/fulldisclosure/2015/Feb/80

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.