Critical Vulnerability SQL Injection, XSS Attacks — MyBB Security Update

Home/Security Update/Critical Vulnerability SQL Injection, XSS Attacks — MyBB Security Update

Critical Vulnerability SQL Injection, XSS Attacks — MyBB Security Update

MyBB released security updates for multiple vulnerabilities including SQL injection, XSS attacks, bypassing issues.

Security Vulnerability

MyBB is the free and open source forum software powering thousands of engaging, vibrant, and unique communities across the internet, released security updates addressing multiple security vulnerabilities.

However, Below are the vulnerabilities with CRITICAL severity:

Cross-site Scripting (XSS) — CVE-2021-27889

Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.

Description

The parsing of messages containing URLs within values of MyCode (BBCode) tags may cause unexpected nesting and output malformed HTML that may be exploited, resulting in an XSS vulnerability.

However, The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed.

Based on the advisories released — below may reduce the impact:

  • Disable MyCode for individual forums, Private Messages, user profile signatures, and calendars, or
  • And, Guest users are not allowed to submit messages where MyCode is supported, or posting access is otherwise limited or controlled.

Patches

MyBB 1.8.26 resolves this issue with the following changes:

https://github.com/mybb/mybb/commit/86894e1e6837f7687ecf6d9e572a626fc2d5d4fc.patch

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Theme Properties SQL Injection — CVE-2021-27890

SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

Description

Certain theme properties included in theme XML files are not escaped properly when included in SQL queries, leading to an SQL injection vulnerability.

However, the vulnerability may be exploited when:

  1. a forum administrator with the Can manage themes? permission imports a maliciously crafted theme,
  2. also, a forum administrator uses the Export Theme or Duplicate Theme features in the Admin Control Panel, or, a user, for whom the theme has been set, visits a forum page.

Based on the advisories released — below may reduce the impact:

  • no themes from untrusted sources are imported,
  • also, the Admin CP’s Can manage themes? limited permissions to trusted administrators

Patches

MyBB 1.8.26 resolves this issue with the following changes:

https://github.com/mybb/mybb/commit/561e1c76d85ed92931440730c0e78b63359b27a4.patch

Vulnerable Platforms

Importantly, Below are the vulenrable MyBB Versions:

  • All Versions Prior To 1.8.26

Also, multiple MyBB versions were prone to exploitation by attackers for the below list of latest CVE’s:

  • CVE-2021-3350
  • CVE-2021-3337
  • CVE-2021-28115
  • CVE-2021-27949
  • CVE-2021-27948
  • CVE-2021-27947
  • CVE-2021-27946
  • CVE-2021-27279

Security Recommendations

In short, highly recommended to update the latest patches released or reach at [email protected]

By | 2021-03-20T22:15:53+05:30 March 20th, 2021|Security Update|

About the Author:

FirstHackersNews- Identifies Security

One Comment

  1. zortilonrel April 16, 2021 at 2:47 pm - Reply

    I’m not that much of a online reader to be honest but your sites really nice, keep it up! I’ll go ahead and bookmark your site to come back in the future. Many thanks

Leave A Comment

Subscribe to our newsletter to receive security tips everday!