CVE-2021-27890
published 2021-03-15CVE-2021-27890: SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
PriorityP264high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
10.59%
95.2th percentile
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mybb | mybb | < 1.8.26 | 1.8.26 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the nested autourl XSS vector in MyBB posts/PMs: look for BBCode [img] tags containing a closing parenthesis followed by a second URL with an onerror= attribute containing eval(String.fromCharCode(...)) ↗
- →Monitor ACP HTTP requests for theme set_default actions (module=style-themes&action=set_default) immediately following a theme import, which is the final trigger step for RCE via eval() of poisoned template cache ↗
- →Detect outbound reverse shell connections on port 5554 from the web server process (e.g., apache/nginx/php-fpm) spawning /bin/sh, indicative of successful RCE exploitation ↗
- →The exploit chain requires the target administrator to have a valid ACP session; correlate XSS delivery (via PM or post) with subsequent ACP-authenticated requests to style-themes endpoints as a chained attack indicator ↗
- ·The exploit is a chained attack requiring three conditions: (1) a valid admin ACP session, (2) the XSS stage successfully executing in the admin's browser, and (3) the SQL injection stage completing theme import — all three must succeed for RCE ↗
- ·The XSS payload uses document.write() to load a second-stage .js file from an attacker-controlled external server, described as a way to 'bypass' SOP; the external JS URL must be live for the exploit to proceed ↗
- ·The SQL injection is second-order (stored), triggered during theme XML import in the ACP; the malicious payload is embedded in theme XML properties and only fires when the theme is set as default and the cache is reloaded ↗
- ·RCE is achieved via PHP eval() executing a template containing ${passthru(base64_decode(...))} — this requires the server to be running PHP with eval() enabled on template rendering and passthru() not disabled in php.ini ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.htmlhttps://blog.sonarsource.com/mybb-remote-code-execution-chainhttps://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhqhttp://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.htmlhttps://blog.sonarsource.com/mybb-remote-code-execution-chainhttps://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq
2021-03-15
Published