A pair of vital vulnerabilities in a well-liked bulletin board software program known as MyBB may have been chained collectively to realize distant code execution (RCE) with out the necessity for prior entry to a privileged account.
The failings, which had been found by unbiased safety researchers Simon Scannell and Carl Smith, had been reported to the MyBB Group on February 22, following which it released an replace (model 1.8.26) on March 10 addressing the problems.
MyBB, previously MyBBoard and initially MyBulletinBoard, is free and open-source discussion board software program developed utilizing PHP and MySQL.
In line with the researchers, the primary problem — a nested auto URL persistent XSS vulnerability (CVE-2021-27889) — stems from how MyBB parses messages containing URLs throughout the rendering course of, thus enabling any unprivileged discussion board consumer to embed saved XSS payloads into threads, posts, and even non-public messages.
“The vulnerability might be exploited with minimal consumer interplay by saving a maliciously crafted MyCode message on the server (e.g. as a put up or Non-public Message) and pointing a sufferer to a web page the place the content material is parsed,” MyBB said in an advisory.
The second vulnerability issues an SQL injection (CVE-2021-27890) in a discussion board’s theme supervisor that would lead to an authenticated RCE. A profitable exploitation happens when a discussion board administrator with the “Can handle themes?” permission imports a maliciously crafted theme, or a consumer, for whom the theme has been set, visits a discussion board web page.
“A complicated attacker may develop an exploit for the Saved XSS vulnerability after which ship a personal message to a focused administrator of a MyBB board,” the researchers outlined in a technical write-up. “As quickly because the administrator opens the non-public message, on his personal trusted discussion board, the exploit triggers. An RCE vulnerability is robotically exploited within the background and results in a full takeover of the focused MyBB discussion board.”
Moreover the 2 aforementioned vulnerabilities, model 1.8.26 additionally resolves 4 different safety shortcomings that had been recognized by the MyBB Group, together with —
- CVE-2021-27946 – Improper validation of the variety of votes in thread ballot choices, resulting in SQL injection
- CVE-2021-27947 – Improper sanitization of sure discussion board information, inflicting SQL injection when utilized in subsequent queries
- CVE-2021-27948 – Extra Person Teams ID numbers might be saved with out correct validation within the Admin Management Panel, leading to SQL injection, and
- CVE-2021-27949 – A mirrored XSS vulnerability in customized Moderator Instruments, when consumer enter hooked up to CSRF token-protected POST requests just isn’t correctly sanitized
MyBB customers are suggested to improve to the latest version to mitigate the danger related to the issues.