Stored XSS in MyBB <= 1.8.20

The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in the private messaging and post modules.

What Are the Risks?

Unpatched websites could allow bad actors to send booby-trapped posts or private messages to users. These would execute rogue JavaScript code when opened, momentarily giving the attacker’s scripts all privileges to the targeted account.

If administrators are targeted, successful attacks could trick their browser into hacking their own site by executing code on the server and grant full power over the site to the assailants.

Technical Details

As mentioned in the researchers advisory, the vulnerability specifically affects the

bbcode. It allows other bbcodes, such as [url] to be embedded into the iFrame rendered by the video code, which corrupts its HTML attributes and allows malicious event handlers to be injected.

Furthermore, a database column truncation bug allowed administrators to store PHP backdoors on their site. While not as critical as it may first seem (administrators own their site), combining this bug with the XSS attack vector makes it possible for an attacker to trick the owner’s browser into taking over its own site, using the bad actor’s backdoor.

Update As Soon As Possible

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

To protect against this vulnerability, we strongly encourage MyBB users to update their site to version 1.8.21 as soon as possible. Users that are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.