MyBB Community Forums

Full Version: MYBB Doesn't Pass Security Scan
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
HI guys,

I have been getting some SQL in jection and and I did a scan using ScanServer and it states that some of mybb code is insecure. Now I haven't modified any of the mybb code and this is from the lastest mybb. Here is what they are showing.

We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

SQL Injection
URL: http://**********.***/***/showthread.php?mode=threaded&tid=5522&pid=52479
Affected Parameter: mode
Vector Used: (VALUE
Pattern found: error in your SQL syntax
Complete Attack: http://**********.***/***/showthread.php?mode=(threaded&tid=5522&pid=52479
Show Test Sample
Recommended Solution:
* SQL Injection:
Use stored procedures to prevent attackers from altering the queries, and filter user input to discard invalid characters such as '

* Cross Site Scripting:
Filter user input to discard characters such as < and >. Make sure your server does not display error messages that contain input received from the user.

* Source Disclosure:
Make sure all debugging information is turned off from production servers. Scripts should be configured to be executables only, with no ability for a user to view them.

* Non-SSL login:
All login pages should be SSL protected (e.g. have an https:// link). When using non-SSL protected pages eavesdroppers might be able to capture usernames and passwords

* Sensitive information sent over non-encrypted page:
Make sure all sensitive information is sent over SSL-protected pages.
Impact:
Attackers can take control over your database, and in some cases over the operating system (using master..xp_cmdshell, CREATE LIBRARY, etc).

Not sure what to do here but it seems it is VERY unsecure as this is a high security bulletin. Ideas?
(2014-06-23, 04:05 PM)JukEboX Wrote: [ -> ]HI guys,

I have been getting some SQL in jection and and I did a scan using ScanServer and it states that some of mybb code is insecure. Now I haven't modified any of the mybb code and this is from the lastest mybb. Here is what they are showing.

We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

SQL Injection
URL: http://**********.***/***/showthread.php?mode=threaded&tid=5522&pid=52479
Affected Parameter: mode
Vector Used: (VALUE
Pattern found: error in your SQL syntax
Complete Attack: http://**********.***/***/showthread.php?mode=(threaded&tid=5522&pid=52479
Show Test Sample
Recommended Solution:
* SQL Injection:
Use stored procedures to prevent attackers from altering the queries, and filter user input to discard invalid characters such as '

* Cross Site Scripting:
Filter user input to discard characters such as < and >. Make sure your server does not display error messages that contain input received from the user.

* Source Disclosure:
Make sure all debugging information is turned off from production servers. Scripts should be configured to be executables only, with no ability for a user to view them.

* Non-SSL login:
All login pages should be SSL protected (e.g. have an https:// link). When using non-SSL protected pages eavesdroppers might be able to capture usernames and passwords

* Sensitive information sent over non-encrypted page:
Make sure all sensitive information is sent over SSL-protected pages.
Impact:
Attackers can take control over your database, and in some cases over the operating system (using master..xp_cmdshell, CREATE LIBRARY, etc).

Not sure what to do here but it seems it is VERY unsecure as this is a high security bulletin. Ideas?

MyBB is secure. If you're really concerned about this then do this: PM a staff member IF the query outputs a error. Test it on a new forum like one just installed. If you get the same error send it to MyBB staff.
This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.
(2014-06-23, 04:39 PM)JukEboX Wrote: [ -> ]This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.

Those scanners aren't meant to be used as you're using them. They're only using common definitions to give you the results, they're meant just for a vulnerability tester to use to get an overview of the site, and to get a list of things to possibly look into. They're known for false positives.
(2014-06-23, 04:39 PM)JukEboX Wrote: [ -> ]This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.

Try it on an actuall 1.6.13 forum with no upgrade nothing like a fresh install. As Ryan said most of them are false postives.
(2014-06-23, 04:39 PM)JukEboX Wrote: [ -> ]This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.

Because it's not a human. I advise you don't use these scanners if you can't appropriately interpret the results. They're meant to assist with security research, not give you a definite answer to whether something is secure or not.

Also, if you're using a scanner to figure out how your forum was attacked with SQL injection, you can't be sure that it was SQL injection. Check your server logs and look for evidence.
(2014-06-23, 06:25 PM)Nathan Malcolm Wrote: [ -> ]
(2014-06-23, 04:39 PM)JukEboX Wrote: [ -> ]This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.

Because it's not a human. I advise you don't use these scanners if you can't appropriately interpret the results. They're meant to assist with security research, not give you a definite answer to whether something is secure or not.

Also, if you're using a scanner to figure out how your forum was attacked with SQL injection, you can't be sure that it was SQL injection. Check your server logs and look for evidence.

Exactly as Nathan says. These automated scan tools tend to be massively unreliable.