Impact
The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This results in a Remote Code Execution (RCE) vulnerability.
The vulnerable module requires Admin CP access with the Can manage settings? permission.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Details
MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n).
The options code string could be set using a single HTTP parameter starting with MyBB RC4; in MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use).
In MyBB 1.4.0, a check for settings of type php was added to reject insert and modification requests with custom PHP code, but did not account for the possibility of overwriting the options code string completely. The options code string, up to MyBB 1.8.28, was not checked, therefore making it possible to supply an overriding value and add or modify settings with user-supplied PHP code.
The checks added in 1.4.0 are present in 1.8.28 at:
The code responsible for overriding the options code string with the value of the extra parameter, when the parameter type is set to custom, is present in 1.8.28 at:
The code responsible for the execution of stored PHP code associated with settings of type php using an eval() statement is present in 1.8.28 at:
Patches
MyBB 1.8.29 resolves this issue with the following changes:
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type
phpwith PHP code, executed on on Change Settings pages. This results in a Remote Code Execution (RCE) vulnerability.The vulnerable module requires Admin CP access with the Can manage settings? permission.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Details
MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string (
$options_code;mybb_settings.optionscodedatabase column) that identifies the setting type and its options, separated by a new line character (\n).The options code string could be set using a single HTTP parameter starting with MyBB RC4; in MyBB 1.2.0, support for setting type
phpwas added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use).In MyBB 1.4.0, a check for settings of type
phpwas added to reject insert and modification requests with custom PHP code, but did not account for the possibility of overwriting the options code string completely. The options code string, up to MyBB 1.8.28, was not checked, therefore making it possible to supply an overriding value and add or modify settings with user-supplied PHP code.The checks added in 1.4.0 are present in 1.8.28 at:
The code responsible for overriding the options code string with the value of the
extraparameter, when the parametertypeis set tocustom, is present in 1.8.28 at:The code responsible for the execution of stored PHP code associated with settings of type
phpusing aneval()statement is present in 1.8.28 at:Patches
MyBB 1.8.29 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/89ba6fd39fca4ede328f69deca9aba7b57f2c5d1.patchReferences
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.