cbcvebase.
CVE-2017-16780
published 2017-11-10

CVE-2017-16780: The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.77%
92.2th percentile
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

Affected

1 ranges
VendorProductVersion rangeFixed in
mybbmybb<= 1.8.12

Detection & IOCsextracted from sources · hover to see the quote

path/install/index.php
path/inc/config.php
  • Monitor for unexpected POST requests to /install/index.php, especially from unauthenticated or cross-origin sources, which may indicate CSRF-driven exploitation of the installer.
  • Alert on modifications to /inc/config.php at the filesystem level; legitimate MyBB operation should not rewrite this file post-installation.
  • Detect presence of single-quote or path-traversal sequences (e.g., ./ or ../) in the Database Path field submitted to the MyBB installer, as these are the injection vectors.
  • Check whether the /install/ directory lock is absent on production MyBB instances; an unlocked installer is a prerequisite for direct (non-CSRF) exploitation.
  • ·Exploitation requires the /install/ directory to be accessible (no lock file present); if the lock exists, an attacker must additionally leverage CSRF with an authenticated admin victim.
  • ·The injection specifically targets SQLite database configurations; the Database Path value is written verbatim into /inc/config.php line 11 without sanitisation in affected versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.