Two critical vulnerabilities have been found in popular bulletin board software called MyBB. The vulnerabilities can be chained together to get remote code execution without prior access to a privileged account. The flaws were found by the independent security researchers Simon Scannell and Carl Smith. They reported the vulnerabilities to MyBB on February 22, following which MyBB had released version 1.8.26 on March 10, addressing the flaws.
MyBB is free and open-source forum software developed by the MyBB Group. It is written in PHP and supports MySQL, PostgreSQL, and SQLite as database systems. In addition to this, it also has database failover support.
Persistent XSS Vulnerability
The flaw can be tracked as CVE-2021-27889. The persistent XSS vulnerability exists in the nested auto URL. The flaw exists because MyBB parses messages containing URLs during the rendering process. That enables any non-privileged forum user to embed the payload of stored XSS into posts, threads, and even private messages.
MyBB said in an advisory,
The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed.
SQL Injection in Theme Properties
The second flaw can be tracked as CVE-2021-27890. This SQL injection bug could result in an authenticated remote code execution. The vulnerability comes into action when a forum administrator with the “Can manage themes?“permission imports a maliciously crafted theme, or a user visits a forum page for whom the vulnerable theme is set.
A sophisticated attacker could develop an exploit for the Stored XSS vulnerability and then send a private message to a targeted administrator of a MyBB board.
The researchers also outlined in the blog,
As soon as the administrator opens the private message, on his own trusted forum, the exploit triggers. An RCE vulnerability is automatically exploited in the background and leads to a full takeover of the targeted MyBB forum.
Other than the above two discussed flaws, MyBB had also resolved four other security issues identified in the MyBB forum software. The flaws are CVE-2021-27946, CVE-2021-27947, CVE-2021-27948, and CVE-2021-27949.
Successful exploitation of the vulnerabilities can lead to XSS and SQL injection attacks. It is also possible for an attacker to gain remote code execution by chaining the two vulnerabilities.
MyBB versions before 1.8.26.
Upgrade to MyBB version 1.8.26 or later.
SanerNow software deployment capability can be used to install executables/scripts.