Hacker and carder forums counted among the 10,000 sites running on MyBB software

UPDATED Web forum admins whose sites run on the MyBB platform have been urged to update their installations following the discovery and mitigation of multiple security flaws – two of which have been flagged as ‘high risk’.

Launched yesterday, version 1.8.21 of MyBB includes fixes to numerous security issues, including a critical stylesheet vulnerability that could result in remote code execution (RCE), giving an attacker full access to all user accounts, private threads, and messages stored in the board’s database.

Code execution can be achieved through a persistent cross-site scripting (XSS) flaw in the software’s nested video feature.

The vulnerabilities were discovered by RIPS Tech researchers Simon Scannell and Robin Peraglie, who worked with the MyBB Project team to ensure coordinated disclosure.

“We discovered a stored XSS vulnerability that occurs due to a parsing error in posts and private messages in MyBB 1.8.20 and prior versions, as well as an authenticated remote code execution vulnerability that can be exploited by administrators of a forum,” Scannell told The Daily Swig.

Although the RCE bug falls under the ‘authenticated’ category, Scannell went on to explain that an attacker merely needs a guest account on a target forum to send an admin a private message containing malicious JavaScript code, which exploits the vulnerability.

“This leads to a full remote takeover of a target board by an attacker, as soon as an administrator – who is at the same time authenticated in the backend context – opens the malicious private message,” he said.

“No further user interaction is required.”

Coordinated disclosure

MyBB is a free and open source forum software written in PHP. According to a project spokesperson, there are currently over 10,000 active, publicly accessible boards powered by the software.

“Interestingly enough, when I researched about famous MyBB boards, some of them turned out to be hacker and carder forums,” Scannell said.

Offering guidance to users, Tomasz Mlynski of the MyBB Project team said: “MyBB’s admin control panel prompts administrators to check for updates at least once every two weeks, or shows a notification if newer versions have already been discovered.

“Discussion boards running MyBB can be updated by uploading the new package and running the attached update script.”

Although thousands of online forums now require a patch to protect against the RCE and XSS bugs, it’s clear that the MyBB dev team takes the security of its platform seriously.

A dedicated security portal on the MyBB Project site has been designed to make the disclosure process as easy as possible for researchers.

“The MyBB Project extends thanks to reporters and researchers following responsible disclosure,” the security advisory reads.

Discussing the importance of coordinated disclosure in open source projects, Mlynski said: “Full cooperation – which, currently in our case, involves not only coordinated disclosure, but also solution development and the follow-up penetration testing – has already proved worthwhile through multiple opportunities, when security patches were corrected or improved in time for publication.

“We can see how more resources in this area – provided by external, adversarial teams that attempt to break what we build, but with a similar goal – can improve the health and stability of a security program, so that fixes are delivered more reliably and faster.

“We believe that open source projects have a particular interest and conditions to offer transparency and a high level of technical detail.

“Experienced users should be well aware that all platforms can be vulnerable, so the difference is not how secure a vendor claims to be, or how rarely they mention having security issues, but the procedures in place and history that has put them into practice.”

Check out the RIPS Tech blog post for a full technical breakdown of the vulnerabilities.

This article has been updated to include comments from MyBB.

RELATED Toxic comments: WordPress admins under threat from latest bug