MyBB 1.8.6: Improper validation of data passed to eval

MyBB 1.8.6: Improper validation of data passed to eval

Date: 2016-09-15 14:19:54
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: MyBB 1.8.6
Fixed in: 1.8.7
Fixed Version Link:
Vendor Website:
Vulnerability Type: Improper validation of data passed to eval
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

MyBB is forum software written in PHP. In version 1.8.6, it improperly validates templates that are passed to eval, allowing for the disclosure of the database password. If the database is writable from remote, it may also lead to code execution.

An admin account is required.

3. Details


CVSS: Low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N

MyBB allows an admin to edit templates. These templates can contain HTML, and it is possible to read out the content of PHP variables as well as the properties of objects. There are filters in place which should make it impossible to call functions or to read out sensitive information such as database credentials.

Templates are used as following:

eval('$variable = "'.$templates->get('templateName').'";');

$templates->get returns the template as saved in the database, with double quotes and slashes escaped.

When saving a template, the template is passed to the check_template function to check if it contains malicious content. The checks try to prevent the reading of the database password as well as the calling of functions. This means that none of the naive attempts to read out the database password - eg $config['database']['password'], $config[database][password], or $config["database"]["password"] - would work.

However, it is still possibly to read out the database password by setting the value of an existing variable to "password" and using that variable when reading out the password, thus bypassing the filter.

Proof of Concept

First, edit a template such as the usercp_profile_contact_fields_field template: http://localhost/mybb_1806/Upload/admin/index.php?module=style-templates&action=edit_template&title=usercp_profile_contact_fields_field&sid=1&expand=15 Add this line at the beginning: {$cfvalue}: {$config['database'][$cfvalue]} Now, visit the profile: http://localhost/mybb_1806/Upload/usercp.php?action=profile As any of the "Additional Contact Information" values, use "password" to read out the database password, "hostname" to read out the hostname, and "username" to read out the user.

In case that the database is writable from remote, an attacker could now also gain code execution, as check_template is applied when saving templates, not when loading them. Example query:

UPDATE mybb_templates SET template="{${phpinfo()}}" WHERE title="usercp_profile_contact_fields_field";

Visiting the profile will execute the injected code.


inc/config.php $config['database']['password'] = '[THE_DATABASE_PASSWORD]'; admin/inc/functions.php function check_template($template) { // Check to see if our database password is in the template if(preg_match("#database'?\\s*\]\\s*\[\\s*'?password#", $template)) { return true; } // System calls via backtick if(preg_match('#\$\s*\{#', $template)) { return true; } // Any other malicious acts? // Courtesy of ZiNgA BuRgA if(preg_match("~\\{\\$.+?\\}~s", preg_replace('~\\{\\$+[a-zA-Z_][a-zA-Z_0-9]*((?:-\\>|\\:\\:)\\$*[a-zA-Z_][a-zA-Z_0-9]*|\\[\s*\\$*([\'"]?)[a-zA-Z_ 0-9 ]+\\2\\]\s*)*\\}~', '', $template))) { return true; } return false; } usercp.php (as one example) foreach(array('icq', 'aim', 'yahoo', 'skype', 'google') as $cfield) { $contact_fields[$cfield] = ''; $csetting = 'allow'.$cfield.'field'; if($mybb->settings[$csetting] == '') { continue; } if(!is_member($mybb->settings[$csetting])) { continue; } $cfieldsshow = true; $lang_string = 'contact_field_'.$cfield; $lang_string = $lang->{$lang_string}; $cfvalue = htmlspecialchars_uni($user[$cfield]); eval('$contact_fields[$cfield] = "'.$templates->get('usercp_profile_contact_fields_field').'";'); }

4. Solution

To mitigate this issue please upgrade at least to version 1.8.7:

Please note that a newer version might already be available.

5. Report Timeline

01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public