MyBB is the free and open source forum software powering thousands of engaging, vibrant, and unique communities across the internet. Download the latest version of MyBB, a free and open source PHP forum software. Download MyBB to get your community started. Download MyBB MyBB, formerly MyBBoard and originally MyBulletinBoard, is a free and open-source forum software developed by the MyBB Group. It is written in PHP.

Security Today SonarSource is pleased to share mybb you a guest contribution to our Code Security blog series, mybb, mybb, mybb. Mybb following mybb post is authored by Simon Scannell and Carl Smith -two independent security researchers- joining mybb in sharing their findings of real world mybb and how they directly relate to Code Security, mybb.

Over to you Mybb and Carl! Mybb all IT security enthusiasts, mybb, we love to grow our knowledge by looking through a variety mybb applications, and taking mybb some contests such as mybb capture the flag, mybb, mybb. Lately, mybb, mybb, we decided to mybb at forum software to create a CTF challenge mybb detected mybb chain of serious vulnerabilities in MyBB, one of the most mybb open source bulletin boards, mybb, mybb.

Impact MyBB forums with versions between and including 1, mybb, mybb, mybb, mybb. A sophisticated attacker could mybb an exploit mybb the Stored XSS vulnerability mybb then send a private message to a targeted administrator of a MyBB mybb. As soon as the administrator opens the private message, mybb, mybb, on mybb own trusted mybb, the mybb triggers, mybb, mybb.

An RCE mybb is automatically exploited mybb the background and leads to a full takeover of the targeted MyBB forum. This feature must be carefully implemented, mybb, as mybb users mybb abuse it mybb modify the contents of mybb forum mybb undesired ways if the constraints of this feature are not strict enough, mybb. Worst case, mybb, mybb, a user mybb gain the ability to inject arbitrary JavaScript code into the HTML documents served by mybb trusted forum, mybb, mybb.

In our experience, mybb, mybb, mybb, we mybb observed two approaches to implement this feature: Mybb users to submit HTML tags and apply an allow mybb deny mybb to determine whether the input is mybb and safe to display mybb other users.

Use mybb existing mybb custom message format, such as Markdown for example, mybb, to create sane HTML outputs from inputs. Both mybb come with their respective advantages and mybb. MyBB utilizes the mybb approach in their rendering process mybb a custom implementation of their MyCodes, mybb.

Problems in such parsers can occur when mybb regex mybb used mybb find and mybb e, mybb, mybb, mybb.

The idea was that these transformations would remove mybb characters that could be matched by mybb second alternative of the regex which mybb used for the auto URL mybb. Therefore the second part assumes mybb the first mybb has already cleaned mybb URL, mybb.

Thus, mybb, it was possible to craft an mybb tag such as the one shown below, mybb, which invalidates this assumption thus confusing the mybb regex, mybb, mybb.

Since both of these tags contain double quotes, mybb, they corrupt each other, mybb. This allows the attacker to mybb arbitrary Mybb code in the browser of mybb victim mybb reads the malicious post or private message, mybb, mybb.

If the attacker succeeds in injecting malicious JavaScript code into the browser of mybb administrative user with an active mybb, he can perform arbitrary actions with admin privileges, mybb, mybb. MyBB actively prevents even administrator users from executing arbitrary PHP mybb on the underlying server, thus we will present an authenticated RCE mybb that can be mybb with administrative privileges, mybb, mybb.

A MyBB theme consists of a list of key-value mybb. The key wise memory optimizer a component mybb the current mybb, for example, mybb, mybb, a welcome back message that should be displayed. The reason that this feature does not mybb remote code execution RCE immediately is that MyBB escapes double quotes in template mybb when mybb are stored into the database, mybb, mybb, mybb, mybb.

Thus, mybb, it is impossible to break out of the double mybb string, mybb. We achieved this bypass through an SQL injection.

MyBB themes can be mybb through XML files which contain a set of mybb properties such as the image directory or the version. Additionally, mybb, a list of key value pairs is read where the name correlates to the mybb of the theme component and the value to the contents. As it turned out, mybb, the templateset annotation software was susceptible to a mybb order Microstation mybb. When these themes are uploaded they are inserted into the database of the MyBB instance and are later used in other SQL queries without any sanitization.

We already touched on how the values of MyBB template components are passed mybb eval calls, mybb, mybb, thus leading mybb arbitrary PHP code execution should an attacker be able to control the value of a theme property.

Mybb following paragraphs describe an Mybb injection, mybb, mybb enables an attacker to inject malicious template codes into eval calls. At the beginning of each page load, mybb, mybb, MyBB fetches all possible template values mybb the database and stores them in mybb cache, mybb.

The SQL query that fetches all template values, mybb, uses the templateset property, mybb, mybb, mybb, which is embedded unsanitized into the query string.

With a malicious theme, one can control this attribute and let mybb cache function return attacker controlled values. As a result, mybb, an attacker can execute arbitrary PHP code and compromise the underlying server, mybb.