MyBB Community Forums Community Archive Archived Forums Archived Development and Support MyBB 1.6 1.6 Security Management and Support v
MYBB Doesn't Pass Security Scan

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode
MYBB Doesn't Pass Security Scan
JukEboX Offline
Posts: 57
Threads: 18
Joined: May 2011
Reputation: 0
#1
2014-06-23, 04:05 PM
HI guys,

I have been getting some SQL in jection and and I did a scan using ScanServer and it states that some of mybb code is insecure. Now I haven't modified any of the mybb code and this is from the lastest mybb. Here is what they are showing.

We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

SQL Injection
URL: http://**********.***/***/showthread.php?mode=threaded&tid=5522&pid=52479
Affected Parameter: mode
Vector Used: (VALUE
Pattern found: error in your SQL syntax
Complete Attack: http://**********.***/***/showthread.php?mode=(threaded&tid=5522&pid=52479
Show Test Sample
Recommended Solution:
* SQL Injection:
Use stored procedures to prevent attackers from altering the queries, and filter user input to discard invalid characters such as '

* Cross Site Scripting:
Filter user input to discard characters such as < and >. Make sure your server does not display error messages that contain input received from the user.

* Source Disclosure:
Make sure all debugging information is turned off from production servers. Scripts should be configured to be executables only, with no ability for a user to view them.

* Non-SSL login:
All login pages should be SSL protected (e.g. have an https:// link). When using non-SSL protected pages eavesdroppers might be able to capture usernames and passwords

* Sensitive information sent over non-encrypted page:
Make sure all sensitive information is sent over SSL-protected pages.
Impact:
Attackers can take control over your database, and in some cases over the operating system (using master..xp_cmdshell, CREATE LIBRARY, etc).

Not sure what to do here but it seems it is VERY unsecure as this is a high security bulletin. Ideas?
Find
VoIP Offline
Posts: 475
Threads: 26
Joined: Mar 2013
Reputation: 13
#2
2014-06-23, 04:22 PM
(2014-06-23, 04:05 PM)JukEboX Wrote: HI guys,

I have been getting some SQL in jection and and I did a scan using ScanServer and it states that some of mybb code is insecure. Now I haven't modified any of the mybb code and this is from the lastest mybb. Here is what they are showing.

We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

SQL Injection
URL: http://**********.***/***/showthread.php?mode=threaded&tid=5522&pid=52479
Affected Parameter: mode
Vector Used: (VALUE
Pattern found: error in your SQL syntax
Complete Attack: http://**********.***/***/showthread.php?mode=(threaded&tid=5522&pid=52479
Show Test Sample
Recommended Solution:
* SQL Injection:
Use stored procedures to prevent attackers from altering the queries, and filter user input to discard invalid characters such as '

* Cross Site Scripting:
Filter user input to discard characters such as < and >. Make sure your server does not display error messages that contain input received from the user.

* Source Disclosure:
Make sure all debugging information is turned off from production servers. Scripts should be configured to be executables only, with no ability for a user to view them.

* Non-SSL login:
All login pages should be SSL protected (e.g. have an https:// link). When using non-SSL protected pages eavesdroppers might be able to capture usernames and passwords

* Sensitive information sent over non-encrypted page:
Make sure all sensitive information is sent over SSL-protected pages.
Impact:
Attackers can take control over your database, and in some cases over the operating system (using master..xp_cmdshell, CREATE LIBRARY, etc).

Not sure what to do here but it seems it is VERY unsecure as this is a high security bulletin. Ideas?

MyBB is secure. If you're really concerned about this then do this: PM a staff member IF the query outputs a error. Test it on a new forum like one just installed. If you get the same error send it to MyBB staff.
Hey Everyone I am back! I will slowly be in progression of helping you all with your questions!


Find
JukEboX Offline
Posts: 57
Threads: 18
Joined: May 2011
Reputation: 0
#3
2014-06-23, 04:39 PM
This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.
Find
Rymax99 Offline
Posts: 479
Threads: 28
Joined: Feb 2013
Reputation: 16
#4
2014-06-23, 04:43 PM
(2014-06-23, 04:39 PM)JukEboX Wrote: This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.

Those scanners aren't meant to be used as you're using them. They're only using common definitions to give you the results, they're meant just for a vulnerability tester to use to get an overview of the site, and to get a list of things to possibly look into. They're known for false positives.
Website Find
VoIP Offline
Posts: 475
Threads: 26
Joined: Mar 2013
Reputation: 13
#5
2014-06-23, 05:27 PM
(2014-06-23, 04:39 PM)JukEboX Wrote: This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.

Try it on an actuall 1.6.13 forum with no upgrade nothing like a fresh install. As Ryan said most of them are false postives.
Hey Everyone I am back! I will slowly be in progression of helping you all with your questions!


Find
Nathan Malcolm Away

Former Staff
Posts: 13,647
Threads: 220
Joined: May 2010
Reputation: 550
#6
2014-06-23, 06:25 PM
(2014-06-23, 04:39 PM)JukEboX Wrote: This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.

Because it's not a human. I advise you don't use these scanners if you can't appropriately interpret the results. They're meant to assist with security research, not give you a definite answer to whether something is secure or not.

Also, if you're using a scanner to figure out how your forum was attacked with SQL injection, you can't be sure that it was SQL injection. Check your server logs and look for evidence.
No longer involved in the MyBB project.
Find
Euan T Offline

Security

Web
Posts: 15,129
Threads: 240
Joined: Jun 2009
Reputation: 703
#7
2014-06-23, 06:34 PM
(2014-06-23, 06:25 PM)Nathan Malcolm Wrote:
(2014-06-23, 04:39 PM)JukEboX Wrote: This is a clean install and upgrade form 1.6.10 - 1.6.13. Why would it come up in the scan if it was secure then.

Because it's not a human. I advise you don't use these scanners if you can't appropriately interpret the results. They're meant to assist with security research, not give you a definite answer to whether something is secure or not.

Also, if you're using a scanner to figure out how your forum was attacked with SQL injection, you can't be sure that it was SQL injection. Check your server logs and look for evidence.

Exactly as Nathan says. These automated scan tools tend to be massively unreliable.
Website Find


Forum Jump:


Users browsing this thread: 1 Guest(s)