Impact
The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php
with PHP code, executed on on Change Settings pages. This results in a Remote Code Execution (RCE) vulnerability.
The vulnerable module requires Admin CP access with the Can manage settings? permission.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code
; mybb_settings.optionscode
database column) that identifies the setting type and its options, separated by a new line character (\n
).
In MyBB 1.2.0, support for setting type php
was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use).
In MyBB 1.4.0, a check for settings of type php
was added to reject insert and modification requests with custom PHP code, but did not account for possible extra characters that are removed using trim()
when determining the setting type before potential execution.
The checks added in 1.4.0 are present in 1.8.29 at:
The code responsible for identifying the setting type is present in 1.8.29 at:
The code responsible for the execution of stored PHP code associated with settings of type php
using an eval()
statement is present in 1.8.29 at:
Patches
MyBB 1.8.30 resolves this issue with the following changes:
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type
php
with PHP code, executed on on Change Settings pages. This results in a Remote Code Execution (RCE) vulnerability.The vulnerable module requires Admin CP access with the Can manage settings? permission.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string (
$options_code
;mybb_settings.optionscode
database column) that identifies the setting type and its options, separated by a new line character (\n
).In MyBB 1.2.0, support for setting type
php
was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use).In MyBB 1.4.0, a check for settings of type
php
was added to reject insert and modification requests with custom PHP code, but did not account for possible extra characters that are removed usingtrim()
when determining the setting type before potential execution.The checks added in 1.4.0 are present in 1.8.29 at:
The code responsible for identifying the setting type is present in 1.8.29 at:
The code responsible for the execution of stored PHP code associated with settings of type
php
using aneval()
statement is present in 1.8.29 at:Patches
MyBB 1.8.30 resolves this issue with the following changes:
.patch
: https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1.patchReferences
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.