Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ############################################################################
- # Exploit Title : MyBB 1.6.x ChangUonDyU Chatbox Plugins 3.6.0 Cross Site Scripting
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 26/02/2019
- # Vendor Homepage : mybb.com
- # Software Download Link : destek.mybb.com.tr/attachment.php?aid=742
- # Software Information Links : community.mybb.com/mods.php?action=view&pid=1125
- + community.mybb.com/mods.php?action=view&pid=1125
- + destek.mybb.com.tr/showthread.php?tid=2413
- + community.mybb.com/thread-63559.html
- + github.com/vintagedaddyo/MyBB_Plugin-ChangUonDyU-Advanced-Statistics
- /commit/8122c93f4c3b517b9d35338fe77ba91d9a6ac08a
- # Software Version : 1.0.2 and 3.6.0 and all previous versions
- Compatible with MyBB - 1.6.x
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type :
- CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ]
- CWE-83 [ Improper Neutralization of Script in Attributes in a Web Page ]
- CWE-87 [ Improper Neutralization of Alternate XSS Syntax ]
- # Old Similar CVE : CVE-2018-11532
- Reference Link : cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11532
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- # Reference Link : cyberizm.org/cyberizm-mybb-changuondyu-kritik-chatbox-acigi.html
- ############################################################################
- # Description about Software :
- ***************************
- ChangUonDyU - Extra File Chatbox is a MyBB plugin used for live chatting with other users on the forum.
- ####################################################################
- # Impact :
- ***********
- * The software does not neutralize or incorrectly neutralizes "javascript:" or other URIs from
- dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
- * The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
- * The software does not neutralize or incorrectly neutralizes user-controllable input before
- it is placed in output that is used as a web page that is served to other users.
- Cross-site scripting (XSS) vulnerabilities occur when:
- ***********************************************
- 1. Untrusted data enters a web application, typically from a web request.
- 2. The web application dynamically generates a web page that contains this untrusted data.
- 3. During page generation, the application does not prevent the data from containing content that is
- executable by a web browser, such as JavaScript, HTML tags,
- HTML attributes, mouse events, Flash, ActiveX, etc.
- 4. A victim visits the generated web page through a web browser, which contains
- malicious script that was injected using the untrusted data.
- 5. Since the script comes from a web page that was sent by the web server, the victim's
- web browser executes the malicious script in the context of the web server's domain.
- 6. This effectively violates the intention of the web browser's same-origin policy, which
- states that scripts in one domain should not be able to access resources or run code in a different domain.
- There are three main kinds of XSS:
- ******************************
- Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and
- reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes
- a victim to supply dangerous content to a vulnerable web application, which is then reflected
- back to the victim and executed by the web browser. The most common mechanism for
- delivering malicious content is to include it as a parameter in a URL that is posted publicly
- or e-mailed directly to the victim. URLs constructed in this manner constitute the core of
- many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers
- to a vulnerable site. After the site reflects the attacker's content back to the victim,
- the content is executed by the victim's browser.
- Type 2: Stored XSS (or Persistent) - The application stores dangerous data in a database,
- message forum, visitor log, or other trusted data store. At a later time, the dangerous
- data is subsequently read back into the application and included in dynamic content.
- From an attacker's perspective, the optimal place to inject malicious content is in an area
- that is displayed to either many users or particularly interesting users.
- Interesting users typically have elevated privileges in the application or interact with
- sensitive data that is valuable to the attacker. If one of these users executes malicious content,
- the attacker may be able to perform privileged operations on behalf of the user or gain access
- to sensitive data belonging to the user. For example, the attacker might inject XSS into
- a log message, which might not be handled properly when an administrator views the logs.
- Type 0: DOM-Based XSS - In DOM-based XSS, the client performs the injection of
- XSS into the page; in the other types, the server performs the injection. DOM-based XSS
- generally involves server-controlled, trusted script that is sent to the client, such as
- Javascript that performs sanity checks on a form before the user submits it.
- If the server-supplied script processes user-supplied data and then injects it
- back into the web page (such as with dynamic HTML), then DOM-based XSS is possible.
- ############################################################################
- Vulnerable File :
- ******************
- [VULNERABLESITE]/chatbox/message.php
- Vulnerable Source Code :
- **********************
- 54: $shout['color'] = strip_tags($shout['color']);
- 55: $shout['font'] = strip_tags($shout['font']);
- Example Dangerous JavaScript Code :
- ********************************
- ' size=99 onmouseover=document.write(atob('aHR0cHM6Ly93d3cuY3liZXJpem0ub3JnLw====')); a='asd
- Encode and Decode URL Links:
- ****************************
- base64encode.org
- base64decode.org
- Vulnerability Area :
- ****************
- [VULNERABLESITE]/chatbox/index.php
- Cross Site Scripting XSS Exploit :
- *****************************
- [VULNERABLESITE]/chatbox/archive.php?page=[XSS]
- # Example XSS Payload :
- ************************
- <marquee>XSS-Vulnerability-Discoverd-By-KingSkrupellos</marquee>
- Proof of Concept :
- *****************
- Create a new thread with the following payload as the title <svg onload=alert('XSS')>
- The alert will appear on the index page
- # Solution to Fix this Bug :
- ************************
- Now - Find chatbox folder/config.php - Find the codes below
- $config['forumlink'] = 'domain1.net/forum,domain2.com'; //Forum url
- Here is the link which domain should be run. We will edit this file like this.
- For example ; We can enter forum.[VULNERABLESITE].gov and [VULNERABLESITE].gov/FORUM
- $config['forumlink'] = '[VULNERABLESITE].com/forum,forum.[VULNERABLESITE].com'; //Forum url
- If the domain is unique - so we change this file like this ;
- $config['forumlink'] = '[VULNERABLESITE].com'; //Forum url
- Then
- $config['chatboxkey'] = 'your_chatbox_key'; // ChatboxKey
- Find this chatbox key. It should be longer. Nobody should guess it. Note this key somewhere. Then find this codes.
- $config['check_domain_reffer'] = false; // Check reffer url
- $config['check_chatbox_key'] = false; // check ChatboxKey
- Change with this codes.
- $config['check_domain_reffer'] = true; // Check reffer url
- $config['check_chatbox_key'] = true; // check ChatboxKey
- Then save the file.
- Then => Administration Panel => Settings => Forum Settings => ChangUonDyU Chatbox Extensions => Enter here your [ your_chatbox_key ] and save it.
- If you want to change [ Access Denied (Invaild ChatboxKey or URL) ] keywords. Go to the config.php and save this file however you wish.
- $phrase['accessdenied'] = "<b>Access Denied (Invaild ChatboxKey or URL)</b>";
- That's all. The Bug has been fixed.
- ############################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ############################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement