Impact
Improper validation logic in the Admin CP's Templates module allows remote authenticated users to execute arbitrary code (RCE) by supplying specially crafted template content.
The vulnerable module requires administrative access with one of the following permissions:
- Can manage templates?
- Can manage themes?
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
In MyBB 1.8, templates rely on HTML code with basic references to PHP variables, rendered by executing them as PHP code (eval()). This limitation is enforced through regular expression-based validation (performed during the importing of themes, and modification of individual templates).
However, the validation process did not account for runtime errors related to regular expression operations in PHP (PCRE) that may occur i.a. when resource limits are exceeded when attempting to process specific content.
As a result of using loose comparisons (which allow type juggling) in connection with PHP functions whose return types may change depending on the error state, the returned values may have been misinterpreted as those indicating safe content:
preg_match() (integer 0 indicating no suspicious content — boolean false on PCRE errors)preg_replace() (string with all remaining expressions interpreted as unsafe — null on PCRE errors)
Patches
MyBB 1.8.36 resolves this issue with the following changes:
Forum administrators can validate all existing templates after applying the patch using the Admin CP's Tools & Maintenance → System Health → Check Templates tool.
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
Improper validation logic in the Admin CP's Templates module allows remote authenticated users to execute arbitrary code (RCE) by supplying specially crafted template content.
The vulnerable module requires administrative access with one of the following permissions:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
In MyBB 1.8, templates rely on HTML code with basic references to PHP variables, rendered by executing them as PHP code (
eval()). This limitation is enforced through regular expression-based validation (performed during the importing of themes, and modification of individual templates).However, the validation process did not account for runtime errors related to regular expression operations in PHP (PCRE) that may occur i.a. when resource limits are exceeded when attempting to process specific content.
As a result of using loose comparisons (which allow type juggling) in connection with PHP functions whose return types may change depending on the error state, the returned values may have been misinterpreted as those indicating safe content:
preg_match()(integer0indicating no suspicious content — booleanfalseon PCRE errors)preg_replace()(string with all remaining expressions interpreted as unsafe —nullon PCRE errors)Patches
MyBB 1.8.36 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patchForum administrators can validate all existing templates after applying the patch using the Admin CP's Tools & Maintenance → System Health → Check Templates tool.
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.