Critical RCE Flaw Reported in MyBB Forum Software

MyBB, formerly MyBBoard and originally MyBulletinBoard, is a free and open-source forum software developed using PHP and MySQL. A pair of critical vulnerabilities in this software could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith.

Affected CVEs-: CVE-2021-27890 and CVE-2021-27889.

How does the exploitation work?

  1. The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed. A nested auto URL persistent XSS vulnerability (CVE-2021-27889) — stems from how MyBB passes messages containing URLs during the rendering process, thus enabling any unprivileged forum user to embed stored XSS payloads into threads, posts, and even private messages.
  2. The second vulnerability concerns an SQL injection (CVE-2021-27890) in a forum's theme manager that could result in an authenticated RCE. A successful exploitation occurs when a forum administrator with the "Can manage themes?" permission imports a maliciously crafted theme, or a user, for whom the theme has been set, visits a forum page.
  3. A sophisticated attacker could develop an exploit for the Stored XSS vulnerability and then send a private message to a targeted administrator of a MyBB board. As soon as the administrator opens the private message, on his own trusted forum, the exploit triggers. An RCE vulnerability is automatically exploited in the background and leads to a full takeover of the targeted MyBB forum.

Other CVEs affected:

Four other security shortcomings that were identified by the MyBB Team, including —

1. CVE-2021-27946 - Improper validation of the number of votes in thread poll options, leading to SQL injection.

2. CVE-2021-27947 - Improper sanitization of certain forum data, causing SQL injection when used in subsequent queries.

3. CVE-2021-27948 - Additional User Groups ID numbers can be saved without proper validation in the Admin Control Panel, resulting in SQL injection.

4. CVE-2021-27949 - A reflected XSS vulnerability in custom Moderator Tools, when user input attached to CSRF token-protected POST requests is not properly sanitized.

Remedies:

  1. MyBB users are advised to upgrade to the latest version to mitigate the risk associated with the flaws.
  2. My BB version 1.8.26 resolves the security issues of all the exploitations mentioned in this blog. It was released on 10th March 2021.
  3. To upgrade from the previous version: copy and overwrite files from the Changed Files package.
  4. Upgrading from older versions may require running the install/ upgrade script.
  5. Before performing any upgrade, remember to back up your forum’s files and database and store them safely.
  6. If you have edited core files, including language files, please make sure you make a change log for these changes so you can make them again (if necessary) once the upgrade is complete.