MyBB 1.8.6: Improper validation of data passed to eval

Date: 2016-09-15 14:19:54

1. Introduction

2. Overview

MyBB is forum software written in PHP. In version 1.8.6, it improperly validates templates that are passed to eval, allowing for the disclosure of the database password. If the database is writable from remote, it may also lead to code execution.

An admin account is required.

3. Details

Description

CVSS: Low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N

MyBB allows an admin to edit templates. These templates can contain HTML, and it is possible to read out the content of PHP variables as well as the properties of objects. There are filters in place which should make it impossible to call functions or to read out sensitive information such as database credentials.

Templates are used as following:

eval('$variable = "'.$templates->get('templateName').'";');

$templates->get returns the template as saved in the database, with double quotes and slashes escaped.

When saving a template, the template is passed to the check_template function to check if it contains malicious content. The checks try to prevent the reading of the database password as well as the calling of functions. This means that none of the naive attempts to read out the database password - eg $config['database']['password'], $config[database][password], or $config["database"]["password"] - would work.

However, it is still possibly to read out the database password by setting the value of an existing variable to "password" and using that variable when reading out the password, thus bypassing the filter.

Proof of Concept

First, edit a template such as the usercp_profile_contact_fields_field template: http://localhost/mybb_1806/Upload/admin/index.php?module=style-templates&action=edit_template&title=usercp_profile_contact_fields_field&sid=1&expand=15 Add this line at the beginning: {$cfvalue}: {$config['database'][$cfvalue]} Now, visit the profile: http://localhost/mybb_1806/Upload/usercp.php?action=profile As any of the "Additional Contact Information" values, use "password" to read out the database password, "hostname" to read out the hostname, and "username" to read out the user.

UPDATE mybb_templates SET template="{${phpinfo()}}" WHERE title="usercp_profile_contact_fields_field";

Visiting the profile will execute the injected code.

Code

inc/config.php $config['database']['password'] = '[THE_DATABASE_PASSWORD]'; admin/inc/functions.php function check_template($template) { // Check to see if our database password is in the template if(preg_match("#database'?\\s*\]\\s*\[\\s*'?password#", $template)) { return true; } // System calls via backtick if(preg_match('#\$\s*\{#', $template)) { return true; } // Any other malicious acts? // Courtesy of ZiNgA BuRgA if(preg_match("~\\{\\$.+?\\}~s", preg_replace('~\\{\\$+[a-zA-Z_][a-zA-Z_0-9]*((?:-\\>|\\:\\:)\\$*[a-zA-Z_][a-zA-Z_0-9]*|\\[\s*\\$*([\'"]?)[a-zA-Z_ 0-9 ]+\\2\\]\s*)*\\}~', '', $template))) { return true; } return false; } usercp.php (as one example) foreach(array('icq', 'aim', 'yahoo', 'skype', 'google') as $cfield) { $contact_fields[$cfield] = ''; $csetting = 'allow'.$cfield.'field'; if($mybb->settings[$csetting] == '') { continue; } if(!is_member($mybb->settings[$csetting])) { continue; } $cfieldsshow = true; $lang_string = 'contact_field_'.$cfield; $lang_string = $lang->{$lang_string}; $cfvalue = htmlspecialchars_uni($user[$cfield]); eval('$contact_fields[$cfield] = "'.$templates->get('usercp_profile_contact_fields_field').'";'); }

4. Solution

To mitigate this issue please upgrade at least to version 1.8.7:

http://resources.mybb.com/downloads/mybb_1807.zip

Please note that a newer version might already be available.

5. Report Timeline