2006-08-27, 12:18 PM
This problem is not exclusive to MyBB, other forums suffer from it as well. However, it has not been used in any large-scale hacks yet, so it is not that well known.
An example of how CSRF works:
Of course, a real bad guy might just change that redirect url into one that adds his user to the admin usergroup, deletes a random post, simulates a visit to his site (to spin up hit counters) or whatever he wants!
Issues (as I understand them):
(I was going to create a proof-of-concept to add to my rep here with each view, but the admins disabled the rep system. Heh.)
Credits: http://ha.ckers.org/ - basic CSRF / XSS info.
An example of how CSRF works:
- Bad guy creates a .htaccess file in his site ( e.g., http://bad.guy.ws ) :
Redirect 302 /a.jpg http://your.forum.here/newthread.php?subject=V14GR4&message=CH34P V|4GRA H3R3!!&submit=1&action=new_thread&fid=2
- Bad guy comes to your forum and posts an innocent-looking post including
in it.[img ]http://bad.guy.ws/a.jpg[/ img]
- Every view of this post spawns a new thread in your forums telling you about Cheap Viagra, "posted" by the user viewing the post.
Of course, a real bad guy might just change that redirect url into one that adds his user to the admin usergroup, deletes a random post, simulates a visit to his site (to spin up hit counters) or whatever he wants!
Issues (as I understand them):
- Bad: There is no alt text provided for user-posted images, so compliant browsers will not even display anything out of ordinary. IE, however, will show a red [X] instead of an image. Oh the irony. Adding an alt-text would be at least an indication that an image is missing... Which can be due to various reasons, however, not only CSRF.
- Good to know: On MySQL 5 in Strict mode, long requests fail since MySQL refuses to truncate the url to fit in the sessions.location column, which is VARCHAR(150) . Older versions happily truncate the data instead of erroring out the request. However, MyBB doesn't work properly with MySQL 5.
- Bad: Requests that are refused due to insufficient user rights (e.g., a query that edits the user in ACP when the viewing user hasn't logged into ACP) die silently, and don't show any indication of failure.
- Good: If your ACP is under .htpasswd or similar protection, and you aren't logged in, a CSRF targeting your ACP will create a prompt asking you to log in, thus alerting you to the problem. Don't log in, obviously.
- Bad: The bad guy is not limited to .htaccess 302, he can even set up that directory to execute png files as php, imagination is the limit. It's basically a GET request to his site, which he can process how he pleases.
- Bad: The attack works even if he posts the image in some other forum, all those visitors viewing his post would still "post" at your forum, albeit most likely as guests, since there is no guarantee they are registered in your forum.
- Good: Requiring your forum url as a referer can prevent the last issue. (Mind the privacy-lovers with blank referers, though.)
- Good: Requiring POST and not GET for any sensitive pages can somewhat reduce the problem, at least to my knowledge, however, some experts tend to disagree. I am not aware of any redirection method which would force a browser to POST the stuff with the correct session identification. (A quick GREP says MyBB only enforces POST for "deletepost", nowhere else.)
- Good: You can reduce the risk significantly by adding a hidden input "token" set to some session-specific value, and refusing potentially exploitable requests without it.
(I was going to create a proof-of-concept to add to my rep here with each view, but the admins disabled the rep system. Heh.)
Credits: http://ha.ckers.org/ - basic CSRF / XSS info.