Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26978
HistorySep 09, 2011 - 12:00 a.m.

Security bypass vulnerability in MyBB

2011-09-0900:00:00
vulners.com
58
JSON

Hello 3APA3A!

I want to warn you about security bypass vulnerability in MyBB, which allows to bypass protection against Brute Force and conduct Brute Force attacks.

In August in my article Bypassing captchas and blocking at web sites (http://websecurity.com.ua/5334/) I wrote about vulnerability in MyBB - as an example of such attacks (because it was good example for the article). Which I'll described briefly in this advisory.

In April I've disclosed Brute Force vulnerability in MyBB (http://securityvulns.ru/docs26206.html), where it's was possible to bypass captcha in login form by using of session reusing with constant captcha bypass method. The developers ignored to fix this and other vulnerabilities (in released MyBB 1.6.3). For this reason, I've not wasted my time to inform the developers about new BF vulnerability in their software. In any case I've already mentioned about such protection mechanisms and their bypass last year in publications at my site, including in my article (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-August/007003.html).

Brute Force (WASC-11):

As I found in August, developers set by default other protection method in new versions MyBB 1.6.3 and 1.6.4 (which also exists in previous versions of engine and is using at most forums on MyBB). This method use limit of login attempts instead of captcha, but this protection can be easily bypassed by using of my method described in the article.

If to not receive cookies (or delete or null cookie loginattempts), then the number of login attempts will be unlimited. And any blockings will fail. And if it has already worked, then it's just needed to delete or null this cookie to remove blocking.

This situation has place on most forums on MyBB, but there are such forums on such versions of engine, which hold counter of login attempts not in cookie loginattempts, but in session. Then for bypassing of protection it's just needed to delete cookie sid.

Vulnerable are all versions of MyBB (MyBB 1.6.4 and previous versions), when non-captcha method of protection against Brute Force attacks are used at forum. Concerning bypassing captcha in login form I've already wrote in above-mentioned advisory about MyBB.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON