There are currently some points in MyBB that prevent it from being used safely in case MyBB Admin != Site/Server Admin, because the MyBB Admin CP lets MyBB Admins do things that usually only the Site/Server Admin can do. According to Ryan Gordon this is not a security issue but by design. However I still think it would be nice to improve on these points, so one can give some people MyBB Admin CP access without having to worry about them meddling with other things on the server.
1)
The template system can execute arbitrary PHP code. See also
http://community.mybboard.net/thread-64895.html http://secunia.com/advisories/38941/ http://www.php.net/manual/en/language.ty...ng.complex . This functionality is not required by MyBB and thus could be removed.
This could be done by disallowing {${ (and whitespace variations thereof) in templates. This check could be done when editing / importing them, so there would be no difference in evaluation speed at run time.
2)
The template system gives access to database host, username, and password, by putting something like {$mybb->config['database']['password']} in a template. This functionality is not required by MyBB and thus could be removed.
This could be done by deleting the database details from the global config array as soon as the connection to the database is established (and the database details thus are no longer required), or by not putting database details in the global variable scope to begin with (thus making them inaccessible to templates).
3)
The MyBB backup system gives read access to database tables that do not belong to MyBB, which could contain passwords for other web applications or other instances of MyBB running on the same server. This functionality is not required by MyBB and thus could be removed.
This could be done by not listing tables that don't start with the proper table prefix, and by not letting the backup task access any tables that don't start with the proper prefix. Naturally this depends on a unique prefix being chosen at the time of install.
The first and second point - I agree with Ryan. An Admin would literally have to do this by themselves and therefore not a security issue. A user could install a plugin which adds a template that displays this information, but MyBB does not support plugins and can't do much to protecting against them.
(2010-03-17, 04:49 PM)frostschutz Wrote: [ -> ]The template system can execute arbitrary PHP code.
Uhm, I'm not too sure I follow on this one... can you provide an example?
Take any piece of code you want to execute (for example 'print_r($mybb);') and write it like so in a template:
{${assert('print_r($mybb);')}}
Works since PHP 5. Replace print_r($mybb) (which also prints out database password etc) with something malicious (such as creating a backdoor php file in the cache folder) and the server is yours...
I understand Ryan's point of view to some extent, but even so, I still think that MyBB should not be the stepping stone necessary to go from MyBB Admin CP to other forums and webapps (or even other instances of MyBB) which are running on the same server / database. Forums and sites being vulnerable because of this is quite a reality, such as multi forum hosts, or anywhere someone appointed someone as co-admin in the belief that this person could in worst case only harm this one mybb forum, not anything outside mybb on the same server. Not everyone who has access to MyBB Admin CP somewhere has or even needs access to database or ftp at the same time.
I think that these issues should be patched because they allow for unnecessary risk to the user's server. What is to prevent a user from creating a theme that has executable PHP code in it and then distributing this to other users? How many admins actually check line by line each XML file they import into their server? Should they have to?
Using the vulnerability to attack a server via a malicious theme would be trivial. An advanced user could very easily create a theme XML file with silent PHP code in it that pings the attacker's server as to alert them to the URL of a vulnerable site, one which has installed their malicious theme. In the same instance, a new PHP file could very easily be created in a writable directory created by MyBB, such as images or avatars, which would allow the attacker a back door to the server.
I understand the MyBB Group's logic in not fixing this. I see that the MyBB Group is taking the approach that in order for this threat to do any harm the forum owner must have given admin permissions to an untrustworthy user. Since this vulnerability can be used with the template XML file imports, however, means that a user can import a malicious file unknowingly into their forum which can cause damage to their server, without ever giving an untrustworthy user admin access to their forum. Of course any attack code could be made to run silently where the forum admin would not be aware unless they inspected their template's XML file code to find the malicious lines.
When templates are approved for the directory on this site, are they scanned line by line for malicious code? Even if that is done here, what is to prevent a 3rd party template from being maliciously crafted to take advantage of this vulnerability?
While the risk of an individual's site suffering from this vulnerability is small, those few sites that these vulnerabilities may be exploited on stand to lose a lot if they are successfully used. I can't help but be reminded of Toyota. Only a few of their cars have the problem with the stuck gas petal, and the chances of this happening to an owner are slim to none, however when the gas petal does stick things usually go really wrong really quickly.
I have seen and tested the exploit code for the PHP arbitrary code execution vulnerability and can verify that it is indeed a real exploit. I had to release a patch for my Multiforums Script for MyBB to patch this so my clients could use MyBB to run forum hosts safely. One, if not two, forum hosts have already possibly been exploited by this problem. Even though it's not MyBB's official stance to support multiforums scripts or hosts it would be nice to see the MyBB group fix this problem as I think it would be in the best interests of MyBB to have multiforums hosts to thus increase the usage of MyBB like what has been done with PHPBB.
Hopefully this will be fixed though as it doesn't affect just multiforums hosts. Should a whole server be open to exploitation because some kid with a hosting account there gives the wrong person admin access to their forum by mistake? I don't think so.
Quote:The MyBB backup system gives read access to database tables that do not belong to MyBB, which could contain passwords for other web applications or other instances of MyBB running on the same server. This functionality is not required by MyBB and thus could be removed.
I remove the backup.php file on my sites. It's too dangerous imho.
Quote:. A user could install a plugin which adds a template that displays this information
Any rogue plugin could backup your DB remotely and then delete your site. Rogue templates and plugins should be avoided and realistically I can't recall ever seeing a complaint here about a malicious plugin.
Quote:{${assert('print_r($mybb);')}}
Cool...maybe could be used for good. Like executing php in templates without core file edits or plugins.
Also know the template vulnerability not only requires admincp but also template permissions. I don't give my admins that perm. I restrict their access and so should other owners.
If you have a malicuous rogue admin with template access they can just go and delete your themes and pages and probably even worse.
Quote:Since this vulnerability can be used with the template XML file imports, however, means that a user can import a malicious file unknowingly into their forum which can cause damage to their server, without ever giving an untrustworthy user admin access to their forum.
I agree that should somehow be looked at but to solve this I think is going to be incredibly difficult.
(2010-03-01, 08:36 AM)Yumi Wrote: [ -> ]BTW, whilst I'm here, I suggest MyBB make a change similar to this.
Executing PHP in templates is an exploit. Admins are trusted to administrate your board, not execute arbitrary code. It's the same concept behind why there's a separation between moderators and administrators - both are trusted, however the former is not trusted to administrate the board.
Also, this certainly isn't a feature. If it's needed, there's a plugin which can explicitly enable this.
Whether this is going to be blatantly stated as not being an exploit is MyBB staffs' decision, however I strongly suggest making clear to end users that allowing anyone to edit templates explicitly allows execution of arbitrary code if this isn't going to be changed, as I don't think this is obvious to the average user.
Also, it would be nice if threads like these aren't simply closed like that. The last time I checked, forums were meant for discussion, not meant for stifling discussion. Unless you are very very certain that your decision is the wisest and that further discussion will absolutely not be helpful, I would consider not jumping the gun at closing topics.
http://community.mybboard.net/thread-656...#pid471704
I personally don't find leaking DB username/password that big of an issue if you restrict the account to localhost access (which I believe is MySQL's default). Any rouge script that gets uploaded will be able to retrieve the information from config.php anyway.
I guess it's a harmless improvement though.
(2010-03-17, 10:09 PM)labrocca Wrote: [ -> ]I remove the backup.php file on my sites. It's too dangerous imho.
(2010-03-17, 10:09 PM)labrocca Wrote: [ -> ]I don't give my admins that perm. I restrict their access and so should other owners.
That's exactly what I'm talking about. I would like to improve MyBB security as such that it does not unnecessarily add additional security concerns, making things "too dangerous" to give anyone access. For example I would very much like to be able to appoint a co-admin who is responsible for the design of the forum only - which means exclusive access to the themes and template system only. The MyBB Admin CP permission system can already do that, but due to the arbitrary PHP execution, it's not possible to do unless the person in question has the same level of trust as a full admin with full ftp and database access would have.
Sure, you could always argue that the guy could just as well embed malicious JavaScript in the template. That actually was Ryan Gordon's argument. However these are two different things - while the HTML issue can't be helped, the arbitrary code execution is completely unnecessary and could easily be avoided.
While it would not be a solution to all problems, it would still be an improvement.
An improvement that makes the difference between multi-forum hosting being feasible, or being able to install a copy of MyBB for a friend on your webspace, or not doing it because it's too dangerous.
(2010-03-17, 10:09 PM)labrocca Wrote: [ -> ]Cool...maybe could be used for good.
I'm certainly the last person who says no to a new, intended, properly thought through feature that lets you do cool stuff. However what we have here came unintended, with an update of the PHP language. It's cumbersome to use for good, and lets you do a whole lot of bad. So between this and security concerns, I think security should take priority.
(2010-03-17, 11:12 PM)Yumi Wrote: [ -> ]I personally don't find leaking DB username/password that big of an issue
Sure, it's not that big of an issue. But it's also completely unnecessary. And many people have phpMyAdmin installed and the only thing keeping people out is not knowing the username/password...
Quote:That's exactly what I'm talking about. I would like to improve MyBB security as such that it does not unnecessarily add additional security concerns, making things "too dangerous" to give anyone access.
But that's like saying I should not run SSH because I gave a user shell access. If you give them the access they can screw you. That's the real danger. This has nothing to do with MyBB or how secure it is. This is about how secure the people you trust are.
Quote:For example I would very much like to be able to appoint a co-admin who is responsible for the design of the forum only
That person can delete your themes or insert rogue javascript to infect users. Nothing can stop that.
Quote:However these are two different things - while the HTML issue can't be helped, the arbitrary code execution is completely unnecessary and could easily be avoided.
But screwed is screwed. You trust the wrong guy that's the problem not the script.
I'm sure MyBB will maintain it's good name of strong security. But I don't see something like this as critical and neither does Secunia. It's a very low risk.
(2010-03-17, 11:26 PM)labrocca Wrote: [ -> ]I'm sure MyBB will maintain it's good name of strong security.
You're talking about this?
http://www.mybboard.net/features Wrote:Security
MyBB puts your board's security first.
Extensive measures have been put in place to guarantee MyBB's security on your web server. We've performed security audits and rewritten code to make sure that no vulnerabilities are left unpatched in MyBB. In the off chance that a vulnerability is found, you can be confident that we're already preparing a patch for immediate release.
Ah, if only it were true. Unfortunately that's just marketing babble there to fool the masses. Reporting a security issue to MyBB is actually hard work: First you fill out the official contact form, wait forever for a reply that will never come, then you PM some devs, receive a very unfriendly reply ('It's just stupid crap' instead of 'Thank you'), then you go hack some forums and notify their owners
and they're like 'wtf why doesn't mybb fix this', then these owners come here and make threads
http://community.mybboard.net/thread-64895.html which promptly get closed, then you begin doubting your own sanity, then you report to secunia to get a third party opinion who write you back a very friendly mail saying 'this certainly crosses security boundaries' and release an advisory, then you come back here and have to beg for any change to be actually made... and by change I essentially mean one-liners... as to whether it will actually happen is highly doubtful at this point...
I've reported security issues, to many other projects in the past, but MyBB is the only one where you hit a wall such as this. Other projects take security issues very seriously even if they are minor ones.
(2010-03-17, 11:20 PM)frostschutz Wrote: [ -> ]Sure, it's not that big of an issue. But it's also completely unnecessary. And many people have phpMyAdmin installed and the only thing keeping people out is not knowing the username/password...
I totally forgot about phpMyAdmin. My bad.