• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Stored XSS in MyBB

Stored XSS in MyBB <= 1.8.20

June 11, 2019Marc-Alexandre Montpas

Exploitation Level: Easy/Remote

DREAD Score: 8.0

Vulnerability: Stored XSS

Patched Version: 1.8.21

FacebookTwitterSubscribe

The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in the private messaging and post modules.

What Are the Risks?

Unpatched websites could allow bad actors to send booby-trapped posts or private messages to users. These would execute rogue JavaScript code when opened, momentarily giving the attacker’s scripts all privileges to the targeted account.

If administrators are targeted, successful attacks could trick their browser into hacking their own site by executing code on the server and grant full power over the site to the assailants.

Technical Details

As mentioned in the researchers advisory, the vulnerability specifically affects the

bbcode. It allows other bbcodes, such as [url] to be embedded into the iFrame rendered by the video code, which corrupts its HTML attributes and allows malicious event handlers to be injected.

Furthermore, a database column truncation bug allowed administrators to store PHP backdoors on their site. While not as critical as it may first seem (administrators own their site), combining this bug with the XSS attack vector makes it possible for an attacker to trick the owner’s browser into taking over its own site, using the bad actor’s backdoor.

Update As Soon As Possible

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

To protect against this vulnerability, we strongly encourage MyBB users to update their site to version 1.8.21 as soon as possible. Users that are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, Website SecurityTags: Remote Code Execution, XSS

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.