[-] Product Description:
MyBB-2FA is an unmaintained MyBB plugin that allows MyBB admins to enable Two Factor Authentication in for their forums users.
[-] Vulnerability Type:
Cross Site Request Forgery
[-] Impact and more info:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[-] Vulnerable Request Type:
GET based
[-] Vulnerable Module/Parameter/Path:
MyBB_Installation/usercp.php?action=mybb2fa&do=[ACTION]
[-] Proof of Concept URL:
MyBB_Installation/usercp.php?action=mybb2fa&do=deactivate
MyBB_Installation/usercp.php?action=mybb2fa&do=activate
[-] Fix Suggestion:
Implement an Anti-CSRF token to protect forging requests
[-] Product URL(s):
https://github.com/JN-Jones/MyBB-2FA
https://community.mybb.com/thread-162369.html
[-] Advisory:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12363
[-] Disclaimer:
This bug is subject to Seekurity SAS de C.V. responsible disclosure rules which is a 90-day-disclosure-deadline. After 90 days elapse or a patch has been made broadly available, the bug details will become visible to the public through our official communication channels.
A minute if you please!
Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!
Advisory: Authentication extension Factor MyBB Two Vulnerabilities
Previous Next