+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Website & Server Hacking (https://sinister.ly/Forum-Website-Server-Hacking)
+--- Thread: MyBB Admin Escalation Exploit (/Thread-MyBB-Admin-Escalation-Exploit)
MyBB Admin Escalation Exploit - i0xIllusi0n - 02-06-2013
Posted on February 6, 2013
Affected URL: {$mybb->settings['bburl']}/merge/index.php
Exploit Type: Unauthenticated Execution
Versions Affected: Merge System <= 1.6.7, MyBB <= 1.6.9
Details:
The MyBB merge system asks for no authentication information when doing a merge, just the database information of the source. This is exploitable by merging a MyBB database with a known admin access userpass combo. This can easily be created by making a new vanilla mybb board. The only requirement is the database it’s on is accessible by the slave server. The best way to eliminate this exploit is require some sort of userpass combination on the Merge system.
Exploit credits: Rallias/Nohbody
*He gave me permission to post this here*
RE: MyBB Admin Escalation Exploit - Kinanizer - 02-07-2013
Great find, did you alert Anar about this?
RE: MyBB Admin Escalation Exploit - Dismas - 02-07-2013
(02-07-2013, 02:32 AM)Kinanizer Wrote: Great find, did you alert Anar about this?
This isn't anything new. The MyBB developer's instructions tell you to delete the merge system after using it. Unfortunately, some people aren't all that smart, and they can't follow simple directions. I've known about this for quite some time, which is why we don't have a /merge/ directory. Then again, I haven't had to merge anything.