A pair of significant vulnerabilities in a preferred bulletin board program known as MyBB could have been chained with each other to achieve distant code execution (RCE) devoid of the need for prior access to a privileged account.
The flaws, which ended up discovered by unbiased protection scientists Simon Scannell and Carl Smith, had been noted to the MyBB Workforce on February 22, adhering to which it launched an update (edition 1.8.26) on March 10 addressing the troubles.
MyBB, previously MyBBoard and originally MyBulletinBoard, is free of charge and open-supply discussion board computer software made making use of PHP and MySQL.
According to the scientists, the very first situation — a nested vehicle URL persistent XSS vulnerability (CVE-2021-27889) — stems from how MyBB parses messages that contains URLs in the course of the rendering course of action, hence enabling any unprivileged discussion board consumer to embed saved XSS payloads into threads, posts, and even private messages.
“The vulnerability can be exploited with minimal user conversation by conserving a maliciously crafted MyCode message on the server (e.g. as a post or Non-public Concept) and pointing a target to a website page wherever the written content is parsed,” MyBB reported in an advisory.
The 2nd vulnerability worries an SQL injection (CVE-2021-27890) in a forum’s theme manager that could result in an authenticated RCE. A profitable exploitation takes place when a forum administrator with the “Can handle themes?” authorization imports a maliciously crafted topic, or a person, for whom the concept has been set, visits a forum web site.
“A subtle attacker could build an exploit for the Saved XSS vulnerability and then send a non-public message to a focused administrator of a MyBB board,” the researchers outlined in a technical generate-up. “As shortly as the administrator opens the personal concept, on his possess reliable discussion board, the exploit triggers. An RCE vulnerability is immediately exploited in the history and leads to a complete takeover of the specific MyBB forum.”
Aside from the two aforementioned vulnerabilities, variation 1.8.26 also resolves 4 other safety shortcomings that have been recognized by the MyBB Staff, which include —
- CVE-2021-27946 – Incorrect validation of the variety of votes in thread poll choices, leading to SQL injection
- CVE-2021-27947 – Inappropriate sanitization of particular forum details, creating SQL injection when employed in subsequent queries
- CVE-2021-27948 – More Person Groups ID figures can be saved without having right validation in the Admin Handle Panel, ensuing in SQL injection, and
- CVE-2021-27949 – A mirrored XSS vulnerability in personalized Moderator Applications, when user enter connected to CSRF token-shielded Put up requests is not adequately sanitized
MyBB customers are advised to update to the latest edition to mitigate the hazard related with the flaws.