A number of vulnerabilities have been identified on the popular free web forum MyBB , the combined exploitation of which could allow attackers to remotely execute arbitrary code without having to gain access to a privileged account.
The vulnerabilities were discovered by independent security researchers Simon Scannell and Carl Smith, who reported them to the MyBB support team on February 22 this year. On March 10, with the release of MyBB 1.8.26, the vulnerabilities were fixed.
MyBB (formerly MyBBoard and MyBulletinBoard) is free open source forum software written in PHP.
Acording to the researchers, the first issue is an XSS vulnerability (CVE-2021-27889) arising from the way MyBB parses messages containing URLs during rendering. It allows any unprivileged forum user to inject payloads into discussions, posts, and even private messages.
The vulnerability can be exploited with minimal user interaction by storing a malicious MyCode message on the server (for example, in the form of a post or private message) and pointing the victim to a page where the content is analyzed.
The second vulnerability (CVE-2021-27890) affects the forum's topic manager and allows SQL injection, which could eventually lead to remote code execution. The vulnerability is exploited when a forum administrator has the "Can I manage themes?" Permission. imports a malicious theme, or the user for whom the theme was installed will visit the forum page.
In addition to the above two vulnerabilities, release 1.8.26 also fixes the following vulnerabilities:
- CVE-2021-27946 - incorrect confirmation of the authenticity of the number of votes in polls, which can lead to SQL injection;
- CVE-2021-27947 - incorrect validation of certain forum data, which could lead to SQL injection;
- CVE-2021-27948 - Additional user group identification numbers can be stored in the admin panel without proper authentication, which can lead to SQL injection;
- CVE-2021-27949 is a mirrored XSS vulnerability in customized moderation tools due to insufficient validation of user input attached to POST requests protected from CSRF token attacks.