MyBB Profile Blog plug-in profileblogs. php SQL injection and HTML Injection Vulnerabilities

Release date:
Updated on:

Affected Systems:
MyBB Profile Blog
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56897

MyBB is a popular Web forum program. The Profile Blog plug-in can write information on the configuration page.

Profile Blog 1.2 and other versions of/plugins/profileblogs. php have security vulnerabilities, which can cause SQL injection and XSS storage attacks.

<* Source: Zixem

Link: http://packetstormsecurity.org/files/118769/mybbprofileblogs-sqlxss.txt
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

1. Create a new post in the configuration blog,
2. Edit post,
3. Inject in the edit GET Parameter

Vulnerability
<? Php

/* Line 253 */$ pid = $ mybb-> input ['edit'];
/* Line 259 */$ db-> query ("Update '". TABLE_PREFIX. "blogposts 'set' subobject' = '". $ subject. "', 'message' = '". $ message. "'where' pid '= '". $ pid. "'");

?>

Exploitation:
Member. php? Action = profile & uid = 2 & blogpage = 1 & edit = [VAILD_ID] '[SQLi]

PoC: http:// I .imgur.com/HY60R.png

Storage XSS
Http:// I .imgur.com/OTIRa.png
PoC: http:// I .imgur.com/2Hv9J.png

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

MyBB
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://mods.mybb.com/view/profile-blogs