CVE-2017-16780
published 2017-11-10CVE-2017-16780: The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.77%
92.2th percentile
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mybb | mybb | <= 1.8.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected POST requests to /install/index.php, especially from unauthenticated or cross-origin sources, which may indicate CSRF-driven exploitation of the installer. ↗
- →Alert on modifications to /inc/config.php at the filesystem level; legitimate MyBB operation should not rewrite this file post-installation. ↗
- →Detect presence of single-quote or path-traversal sequences (e.g., ./ or ../) in the Database Path field submitted to the MyBB installer, as these are the injection vectors. ↗
- →Check whether the /install/ directory lock is absent on production MyBB instances; an unlocked installer is a prerequisite for direct (non-CSRF) exploitation. ↗
- ·Exploitation requires the /install/ directory to be accessible (no lock file present); if the lock exists, an attacker must additionally leverage CSRF with an authenticated admin victim. ↗
- ·The injection specifically targets SQLite database configurations; the Database Path value is written verbatim into /inc/config.php line 11 without sanitisation in affected versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-11-10
Published