MyBB, earlier known as MyBulletinBoard is a free and open source forum software based on PHP & My SQL. Recently it has been found vulnerable to a critical stored XSS (Cross-Site Scripting) and RCE (Remote-code Execution) in version 1.8.20 and before. Due to this any malefactor holding only a user account on the forum can hijack any board by sending a malicious private message to the administrator or by creating a malicious post.
Vulnerabilities at Cause
Following are the vulnerabilities that were the main culprit in MyBB:
Parsing Error in Posts & Private Messages
The first is improper parsing error which does not detect JavaScript. So, when a bad actor on the targeted forum sends an admin a private message containing malicious JavaScript code, it bypasses the security. Further, this vulnerability needs nothing more than the administrator to open the mail. No other action is required for the hacker to get full control of the board. As soon as the attacker opens the PM, he gets full access to all user accounts, private threads and messages stored in the board’s database.
Remote Code Execution Vulnerability
The second vulnerability that the forum MyBB has is a stored Remote Code Execution (RCE). It, however, could only be exploited by a person with admin permissions. But as the parsing error in private messages lets a hacker to take remote control of the website and stores malicious PHP codes in databases.
Is your website hacked? Check Astra’s PHP malware scanner now
Technical Details
The term ‘Parsing’ means string analysis. Basically, parsing is sanitizing user input and converting them into mycodes or bbcodes. Moreover, bbcodes are a forum specific way to embed images, links and videos into posts.
The parsing begins with omitting all HTML tags and double quotes. And then goes on to convert bbcode to iframe.
But due to the fact that bbcodes were converted to HTML markup in a different step, the [url] bbcode corrupts the iframe’s src by converting to HTML markup and double quotes. And this result is rendered.
If the vulnerability were not there, it would not have been possible to inject bbcodes within other bbcodes. This then leads to an onload event handler being injected into the <iframe> tag. This event handler triggers as soon as the page within the iframe is loaded, thus no user interaction is required to trigger malicious JavaScript code.
Is your website hacked? Check Astra’s PHP malware scanner now
Update to the latest version
MyBB has patched the vulnerability in version 1.8.21. Updating to this version is the immediate step you could take. Also, to be sure that you do not fall victim to these attacks; install a web application firewall. A web application firewall provides a continuous monitoring system and an added protection to your website.
Astra Firewall is one such firewall that protects a website from XSS, SQLi, CSRF, bad bots, OWASP top 10 & 100+ other cyber attacks. Here is how an Astra dashboard looks like-
