Plugin Exploit

PHP Open-Source Forum Software MyBB Vulnerable to Stored XSS – Exploited

Updated on: March 29, 2020

PHP Open-Source Forum Software MyBB Vulnerable to Stored XSS – Exploited

Article Summary

MyBB, earlier known as MyBulletinBoard is a free and open source forum software based on PHP & My SQL. Recently it has been found vulnerable to a critical stored XSS (Cross-Site Scripting) and RCE (Remote-code Execution) in version 1.8.20 and before. Due to this any malefactor holding only a user account on the forum can hijack any board by sending a malicious private message to the administrator or by creating a malicious post.

MyBB, earlier known as MyBulletinBoard is a free and open source forum software based on PHP & My SQL. Recently it has been found vulnerable to a critical stored XSS (Cross-Site Scripting) and RCE (Remote-code Execution) in version 1.8.20 and before. Due to this any malefactor holding only a user account on the forum can hijack any board by sending a malicious private message to the administrator or by creating a malicious post.

Vulnerabilities at Cause

Following are the vulnerabilities that were the main culprit in MyBB:

Parsing Error in Posts & Private Messages

The first is improper parsing error which does not detect JavaScript. So, when a bad actor on the targeted forum sends an admin a private message containing malicious JavaScript code, it bypasses the security. Further, this vulnerability needs nothing more than the administrator to open the mail. No other action is required for the hacker to get full control of the board. As soon as the attacker opens the PM, he gets full access to all user accounts, private threads and messages stored in the board’s database.

Remote Code Execution Vulnerability

The second vulnerability that the forum MyBB has is a stored Remote Code Execution (RCE). It, however, could only be exploited by a person with admin permissions. But as the parsing error in private messages lets a hacker to take remote control of the website and stores malicious PHP codes in databases.

Is your website hacked? Check Astra’s PHP malware scanner now

Technical Details

The term ‘Parsing’ means string analysis. Basically, parsing is sanitizing user input and converting them into mycodes or bbcodes. Moreover, bbcodes are a forum specific way to embed images, links and videos into posts.

The parsing begins with omitting all HTML tags and double quotes. And then goes on to convert bbcode to iframe.

[url] bbcode

But due to the fact that bbcodes were converted to HTML markup in a different step, the [url] bbcode corrupts the iframe’s src by converting to HTML markup and double quotes. And this result is rendered.

[url] bbcode converts to HTML markup

If the vulnerability were not there, it would not have been possible to inject bbcodes within other bbcodes. This then leads to an onload event handler being injected into the <iframe> tag. This event handler triggers as soon as the page within the iframe is loaded, thus no user interaction is required to trigger malicious JavaScript code.

URL decode

Is your website hacked? Check Astra’s PHP malware scanner now

Update to the latest version

MyBB has patched the vulnerability in version 1.8.21. Updating to this version is the immediate step you could take. Also, to be sure that you do not fall victim to these attacks; install a web application firewall. A web application firewall provides a continuous monitoring system and an added protection to your website.

Astra Firewall is one such firewall that protects a website from XSS, SQLi, CSRF, bad bots, OWASP top 10 & 100+ other cyber attacks. Here is how an Astra dashboard looks like-

Get an Astra demo now!

Was this post helpful?

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany