Two critical vulnerabilities have been found in popular bulletin board software called MyBB. The vulnerabilities can be chained together to get remote code execution without prior access to a privileged account. The independent security researchers Simon Scannell and Carl Smith found the flaws. They reported the vulnerabilities to MyBB on February 22, following which MyBB released version 1.8.26 on March 10, addressing the flaws. These flaws can be solved by using a vulnerability management tool.
MyBB is free and open-source forum software developed by the MyBB Group. It is in PHP and supports MySQL, PostgreSQL, and SQLite as database systems. In addition to this, it also has database failover support. Vulnerability Management Software can prevent these attacks.
Vulnerability Details
Persistent XSS Vulnerability
The flaw is in track as CVE-2021-27889. The persistent XSS vulnerability exists in the nested auto URL. The flaw exists because the MyBB vulnerability parses messages containing URLs during rendering. That enables any non-privileged forum user to embed the payload of stored XSS into posts, threads, and even private messages.
MyBB said in an advisory,
However, the vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed.
SQL Injection in Theme Properties
The second flaw is in track as CVE-2021-27890. This SQL injection bug could result in an authenticated remote code execution. The vulnerability occurs when a forum administrator with the “Can manage themes?“permission imports a maliciously crafting theme or a user visits a forum page for whom the vulnerable theme is present.
A sophisticated attacker could develop an exploit for the Stored XSS vulnerability and then send a private message to a targeted administrator of a MyBB board.
The researchers also outlined in the blog,
As soon as the administrator opens the private message, on his own trusted forum, the exploit triggers. An RCE vulnerability is automatically exploited in the background and leads to a full takeover of the targeted MyBB forum.
Other than the above two discussed flaws, MyBB also resolved four other security issues identified in the MyBB forum software. The flaws are CVE-2021-27946, CVE-2021-27947, CVE-2021-27948, and CVE-2021-27949.
Impact
Therefore, Successful exploitation of the MYBB vulnerabilities can lead to XSS and SQL injection attacks. It is also possible for an attacker to gain remote code execution by chaining the two vulnerabilities.
Affected Products
MyBB versions before 1.8.26.
Solution
Upgrade to MyBB version 1.8.26 or later.
SanerNow software deployment capability is useful to install executables/scripts.