/**
* Disallowed Remote Addresses
* List of IPv4 addresses the fetch_remote_file() function
* will not perform requests to.
* It is recommended that you enter addresses resolving to
* the forum server here to prevent Server Side Request
* Forgery attacks.
* Removing all values disables resolving hosts in that
* function.
*/
$config['disallowed_remote_addresses'] = array(
'0.0.0.0',
'127.0.0.0/8',
'10.0.0.0/8',
'172.16.0.0/12',
'192.168.0.0/16',
);
Additionally, we recommend verifying that it includes any other IPv4 addresses resolving to the server and other internal resources.
Impact
The default list of disallowed remote hosts does not contain the
127.0.0.0/8
block, which may result in a SSRF vulnerability.CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Details
The Configuration File's Disallowed Remote Addresses list (
$config['disallowed_remote_addresses']
) contains the address127.0.0.1
, but does not include the complete block127.0.0.0/8
.Patches
MyBB 1.8.38 resolves this issue with the following changes:
.patch
: https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630.patchAdministrators of installed boards should update the existing configuration (
inc/config.php
) to include all addresses blocked by default:Additionally, we recommend verifying that it includes any other IPv4 addresses resolving to the server and other internal resources.
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.