Local File Inclusion and reading password-protected forums in MyBB

Recently, I've been looking at the MyBB forum software to try to find security issues with it. Here are the results that I have so far. These have been reported privately to the maintainers of the software. The first two are fixed in version 1.8.15, and the third will be fixed in 1.8.16.

1. Local File Inclusion in admin panel.

From the admin panel, select:
Tools and Maintenance -> Task Manager -> Add New Task

Then, when submitting the request, modify the "file" POST parameter as shown below, and the file "../../../file.php" will be executed when the task is run (if the file exists).

2. Read posts in password-protected forums

A feature of MyBB is the ability to create password-protected forums. If a forum is password-protected, then only users who know the password will be able to view the posts in that forum.

However, MyBB does not require a password for users to subscribe to a password-protected forum (or the threads inside it). Furthermore, when users subscribe to a forum, they can get a notification by email or private message every time a user posts. This notification contains an excerpt of the message which was posted in the private forum.

To use, simply access the below URL while logged in as an ordinary user, then follow the prompts:
http://<target website>/usercp2.php?action=addsubscription&type=forum&fid=<forum id>&my_post_key=<your post key>

3. Forum passwords stored in plaintext

Unlike the passwords for users in MyBB (which are hashed), the passwords for password-protected forums are stored in plaintext. Although this is not directly exploitable, if someone gains access the database, they will be able to read the passwords.


Popular posts from this blog

Experimenting with the Audiocodes MP264

Security implications of ANSI escape codes in Git sever responses