[KAPDA::#34]MyBB1.0.4

HeaderInjection

-------

[KAPDA::#34] - MyBB1.0.4~redirectfunction()~HeaderInjection

KAPDA New advisory

Software: MyBB
Sowtware?s Web Site: http://www.mybboard.com
Versions: 1.0.3
Class: Remote
Status: Unpatched
Exploit: Not Available
Solution: Available
Discovered by: <strong>imei addmimistrator</strong>
Risk Level: <strong>high</strong>

Vulnerability:
-------------------
There are some security bugs in MyBB software that allows attacker to perform a <strong>HeaderInjection </strong>attack.<!--more-->MyBB is prone to Header injection in "many pages" in result of unsentized <strong>CRLF</strong>s and other meaningfull characters in embeding usersuplied varables in header of HTTP while redirecting.
possible attacks against this type of injection are: <strong>XSS,cache poisoning, hijacking pages</strong> and etc...
we suggest vendor to validate this characters in redirect function for immediate patch and for future versions validate usersuplied varables in embeding data in headers.


Exploit:
--------------------
send a request to some pages that need refferer while redirecting.
POST
Refferer: %0d%0a%0d%0ai+am+here
even if friendly redirecting feature was off, all of pages that embede user supleid data can exploit.

Solution:
--------------------
Upgrade to vendore provided patch.
sugeston:
inc/function.php{306}
before 324 insert
$url = str_replace(array("\n","\r",";"), "", $url);

Credit :
--------------------
Discovered by imei addmimistrator
imei(4}kapda(O}ir
addmimistrator(4}gmail(O}com
www.myimei.com
Computer Security Science Researchers Institute
[http://www.KAPDA.ir]