A pair of important vulnerabilities in a preferred bulletin board software program referred to as MyBB may have been chained collectively to attain distant code execution (RCE) with out the necessity for prior entry to a privileged account.
The issues, which have been found by impartial safety researchers Simon Scannell and Carl Smith, have been reported to the MyBB Crew on February 22, following which it released an replace (model 1.8.26) on March 10 addressing the problems.
MyBB, previously MyBBoard and initially MyBulletinBoard, is free and open-source discussion board software program developed utilizing PHP and MySQL.
In keeping with the researchers, the primary challenge — a nested auto URL persistent XSS vulnerability (CVE-2021-27889) — stems from how MyBB parses messages containing URLs in the course of the rendering course of, thus enabling any unprivileged discussion board person to embed saved XSS payloads into threads, posts, and even personal messages.
“The vulnerability may be exploited with minimal person interplay by saving a maliciously crafted MyCode message on the server (e.g. as a put up or Non-public Message) and pointing a sufferer to a web page the place the content material is parsed,” MyBB said in an advisory.
The second vulnerability issues an SQL injection (CVE-2021-27890) in a discussion board’s theme supervisor that might end in an authenticated RCE. A profitable exploitation happens when a discussion board administrator with the “Can handle themes?” permission imports a maliciously crafted theme, or a person, for whom the theme has been set, visits a discussion board web page.
“A classy attacker may develop an exploit for the Saved XSS vulnerability after which ship a personal message to a focused administrator of a MyBB board,” the researchers outlined in a technical write-up. “As quickly because the administrator opens the personal message, on his personal trusted discussion board, the exploit triggers. An RCE vulnerability is robotically exploited within the background and results in a full takeover of the focused MyBB discussion board.”
Moreover the 2 aforementioned vulnerabilities, model 1.8.26 additionally resolves 4 different safety shortcomings that have been recognized by the MyBB Crew, together with —
- CVE-2021-27946 – Improper validation of the variety of votes in thread ballot choices, resulting in SQL injection
- CVE-2021-27947 – Improper sanitization of sure discussion board knowledge, inflicting SQL injection when utilized in subsequent queries
- CVE-2021-27948 – Further Consumer Teams ID numbers may be saved with out correct validation within the Admin Management Panel, leading to SQL injection, and
- CVE-2021-27949 – A mirrored XSS vulnerability in customized Moderator Instruments, when person enter connected to CSRF token-protected POST requests isn’t correctly sanitized
MyBB customers are suggested to improve to the latest version to mitigate the danger related to the issues.