We discovered a Stored XSS vulnerability that occured due to a parsing error in posts and private messages in MyBB 1.8.20 and prior versions, as well as an authenticated Remote Code Execution vulnerability that can be exploited by administrators of a forum.
This gives an attacker full access to all user accounts, private threads and messages stored in the board’s database.
In the following, we analyze the security flaws that were partially detected with Static Code Analysis.
Stored XSS through [video] bbcode
MyBB has a 3 step process to parse and render threads, posts and private messages. This process’ purpose is to sanitize user input and render so called mycodes or bbcodes. Bbcodes are a simple way for forum users to embed for example images, links and videos in posts.
The following graphic demonstrates the usual execution flow of the MyBB rendering process:
The process begins by simply escaping all HTML tags and double quotes. It will then convert all
[video] mycodes into
<iframe> tags that embed videos from e.g. YouTube. The reason for video bbcodes being rendered in a single step is because they can be disabled by administrators (they are enabled by default). Finally, it will convert all other mycodes, such as
[email] into HTML markup.
The fact that
[video] bbcodes were converted to HTML markup in a different step than all other bbcodes lead to the idea that it might be possible to craft a
[video] bbcode that results in HTML markup that contains other shortcodes in it’s attributes, such as:
The idea is that MyBB will then replace the
[url] bbcode within the iframe’s
src with more HTML markup containing double quotes (
"), thus corrupting the HTML and leading to an attribute injection.
The above example would then result in the following HTML markup after the third and final step of the processing:
<iframe src="youtube.com/xyz<a href="http://onload=evilCode()">.."></iframe>
As can be seen, the
src attribute of the iframe is then closed by the injected
href attribute and it’s quote. This now leads to the
onload event handler being injected into the
<iframe> HTML tag.
Usually, it would not be possible to inject bbcodes within other bbcodes as regex filters are in place that prevent such attacks. However, the callback method that is reponsible for rendering
[video] bbcodes calls
urldecode() on the URL of the video that should be embedded (e.g.
youtube.com/xyz). This is shown in the following code snippet:
The fact that the video URL is urldecoded allows to bypass the regex protection and inject a
[url] bbcode as depicted above by URL encoding it. This then leads to an
onload event handler being injected into the
RCE in Admin panel via File Write
Administrators of a MyBB forum can manage stylesheets of the active theme of their installation within the Admin Panel. They can also create new stylesheet files on the server and choose the filename.
An obvious File Write vulnerability would occur if an attacker in the role of an administrator account could simply create a new stylesheet file and call it for example
shell.php. However, a quick investigation of the source code behind this functionality revealed that only the
.css file extension was allowed:
What captured our attention was what happened after the extension had been checked. Instead of simply creating the stylesheet file in the file system, MyBB first stores the name of the stylesheet file, as well as the contents in the MySQL database powering the board. When we looked at the
mybb_themestylesheets table and how it was structured, we noticed something interesting: the
name column which stores the filename of a newly imported stylesheet is defined as a
varchar column with a maximum of 30 characters.
Table definition of mybb_themestylesheets
We then noticed that the length of a stylesheet filename is not checked when imported through an XML file, resulting in attackers being able to trick MyBB into inserting a filename with more than the allowed 30 characters. MySQL’s default behavior on many systems is to then truncate the filename to 30 characters.
An attacker could abuse this behavior by setting a filename to for example
aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css. This filename is 34 characters long. Since it ends with the .css extension, it passes the security checks of MyBB. However, when that string is then inserted into the database, it is truncated to 30 characters and only
aaaaaaaaaaaaaaaaaaaaaaaaaa.php remains stored in the database.
An attacker can then use the admin panel to generate the newly imported stylesheet files and write them to the file system. This would create a PHP shell within the cache directory.
|2019/04/29||Reported multiple vulnerabilities privately to the MyBB team.|
|2019/04/29||MyBB acknowledges the vulnerabilies.|
|2019/06/10||MyBB releases version 1.8.21 which includes patches for the vulnerabilities.|