Showing posts from March, 2018

Local File Inclusion and reading password-protected forums in MyBB

Recently, I've been looking at the MyBB forum software to try to find security issues with it. Here are the results that I have so far. These have been reported privately to the maintainers of the software. The first two are fixed in version 1.8.15, and the third will be fixed in 1.8.16.
1. Local File Inclusion in admin panel. From the admin panel, select:
Tools and Maintenance -> Task Manager -> Add New Task

Then, when submitting the request, modify the "file" POST parameter as shown below, and the file "../../../file.php" will be executed when the task is run (if the file exists).

2. Read posts in password-protected forums A feature of MyBB is the ability to create password-protected forums. If a forum is password-protected, then only users who know the password will be able to view the posts in that forum.

However, MyBB does not require a password for users to subscribe to a password-protected forum (or the threads inside it). Furthermore, when users s…