Esoteric hacking risk addressed through recent update

Security researchers have managed to chain together a pair of vulnerabilities that might, with difficulty, have created a way to take over boards running the popular MyBB forum software.

The flaws – discovered by independent researchers Simon Scannell and Carl Smith – were resolved through a software update from MyBB that was issued last week.

This cleared the way for publication of details of the nested auto URL persistent XSS and theme properties SQL injection vulnerabilities on Thursday.

In a guest post on the Sonarsource blog, Scannell and Smith explain how MyBB forums running versions between and including 1.8.16 and 1.8.25 are affected by two vulnerabilities that could be chained to achieve remote code execution (RCE).


Catch up on the latest security vulnerability news


Takeovers of vulnerable systems would be possible even in the absence of prior takeover of privileged accounts on targeted MyBB installations.

The first vulnerability (nested auto URL persistent XSS – CVE-2021-27889) involves security shortcomings in the MyBB rendering process that “enabled any unprivileged forum user of a MyBB board to embed stored XSS payloads into threads, posts and even private messages”, explain the researchers.

The second vulnerability (theme properties SQL injection – CVE-2021-27890) involves an SQL injection vulnerability that could yield RCE.

Booby-trapped message

Scannell and Smith also discovered a mechanism for combining the bug pair to maximum effect. Exploiting the flaws is tricky but possible providing a targeted MyBB administrator can be duped into opening a booby-trapped message, as the two researchers explain.

A sophisticated attacker could develop an exploit for the stored XSS vulnerability and then send a private message to a targeted administrator of a MyBB board.

As soon as the administrator opens the private message, on his own trusted forum, the exploit triggers. An RCE vulnerability is automatically exploited in the background and leads to a full takeover of the targeted MyBB forum.

The issues were disclosed to MyBB on February 22. In response, MyBB developed patches for its software, released on March 10.

Protective measures

Written in PHP, MyBB is popular open source software that’s thought to power more than 10,000 forum sites.

Last week’s updates also address four lower severity flaws, discovered internally by MyBB.

A representative of the MyBB development team said that it welcomed the chance to work with security researchers before going on to offer their take on the particular issues uncovered by Scannell and Smith:

The patched exploitation chain takes advantage of the weakness areas related to legacy code we identified last year.

We look forward to replacing them in the future, and in the meantime, are reviewing additional defense-in-depth checks addressing these classes of vulnerabilities.


As is often the case, forum administrators can defend themselves and their boards against security issues like the ones described by following common recommendations that range from logging out of the admin control panel as soon as possible, to making the ACP URL secret.

Scannell and Smith uncovered the vulnerabilities after analyzing forum software used to create a capture the flag (CTF) challenge they participated in.

The Daily Swig asked the researchers, via Sonarsource, what wider lessons might be drawn from their research. No word back as yet but we’ll update this story as and when more information comes to hand.


YOU MIGHT ALSO LIKE MyBB security analysis: Open source community helped squash hundreds of bugs