PHP Open-Source Forum Software MyBB Vulnerable to Stored XSS - Exploited

MyBB, earlier known as MyBulletinBoard is a free and open source forum software based on PHP & My SQL. Recently it has been found vulnerable to a critical stored XSS (Cross-Site Scripting) and RCE (Remote-code Execution) in version 1.8.20 and before. Due to this any malefactor holding only a user account on the forum can hijack any board by sending a malicious private message to the administrator or by creating a malicious post.

Vulnerabilities at Cause

Following are the vulnerabilities that were the main culprit in MyBB:

Parsing Error in Posts & Private Messages

The first is improper parsing error which does not detect JavaScript. So, when a bad actor on the targeted forum sends an admin a private message containing malicious JavaScript code, it bypasses the security. Further, this vulnerability needs nothing more than the administrator to open the mail. No other action is required for the hacker to get full control of the board. As soon as the attacker opens the PM, he gets full access to all user accounts, private threads and messages stored in the board’s database.

Remote Code Execution Vulnerability

The second vulnerability that the forum MyBB has is a stored Remote Code Execution (RCE). It, however, could only be exploited by a person with admin permissions. But as the parsing error in private messages lets a hacker to take remote control of the website and stores malicious PHP codes in databases.

Is your website hacked? Check Astra’s PHP malware scanner now

Technical Details

The term ‘Parsing’ means string analysis. Basically, parsing is sanitizing user input and converting them into mycodes or bbcodes. Moreover, bbcodes are a forum specific way to embed images, links and videos into posts.

The parsing begins with omitting all HTML tags and double quotes. And then goes on to convert bbcode to iframe.

[url] bbcode

But due to the fact that bbcodes were converted to HTML markup in a different step, the [url] bbcode corrupts the iframe’s src by converting to HTML markup and double quotes. And this result is rendered.

[url] bbcode converts to HTML markup

If the vulnerability were not there, it would not have been possible to inject bbcodes within other bbcodes. This then leads to an onload event handler being injected into the <iframe> tag. This event handler triggers as soon as the page within the iframe is loaded, thus no user interaction is required to trigger malicious JavaScript code.

URL decode

Is your website hacked? Check Astra’s PHP malware scanner now

Update to the latest version

MyBB has patched the vulnerability in version 1.8.21. Updating to this version is the immediate step you could take. Also, to be sure that you do not fall victim to these attacks; install a web application firewall. A web application firewall provides a continuous monitoring system and an added protection to your website.

Astra Firewall is one such firewall that protects a website from XSS, SQLi, CSRF, bad bots, OWASP top 10 & 100+ other cyber attacks. Here is how an Astra dashboard looks like-

Get an Astra demo now!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Aakanchha Keshri

A tech enthusiast. She loves to learn and write about CMS security. And a Potterhead.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close