ASA-2019-00375 – MyBB: Stored Cross-Site Scripting (XSS) through video bbcode

Allele Security Alert



ASA-2019-00375, CVE-2019-12830


Stored Cross-Site Scripting (XSS) through video bbcode


MyBB Group



Affected version(s)

MyBB version prior to 1.8.21

Fixed version(s)

MyBB version 1.8.21 or later

Proof of concept



There is a Stored Cross-Site Scripting (XSS) vulnerability that occurred due to a parsing error in posts and private messages in MyBB 1.8.20 and prior versions.

Technical details

MyBB has a 3 step process to parse and render threads, posts and private messages. This process’ purpose is to sanitize user input and render so called mycodes or bbcodes. Bbcodes are a simple way for forum users to embed for example images, links and videos in posts.

The process begins by simply escaping all HTML tags and double quotes. It will then convert all video mycodes into iframe tags that embed videos from e.g. YouTube. The reason for video bbcodes being rendered in a single step is because they can be disabled by administrators (they are enabled by default). Finally, it will convert all other mycodes, such as url, quote and email into HTML markup.

The fact that video bbcodes were converted to HTML markup in a different step than all other bbcodes lead to the idea that it might be possible to craft a video bbcode that results in HTML markup that contains other shortcodes in it’s attributes.

The idea is that MyBB will then replace the url bbcode within the iframe’s src with more HTML markup containing double quotes (“), thus corrupting the HTML and leading to an attribute injection.

As can be seen, the src attribute of the iframe is then closed by the injected href attribute and it’s quote. This now leads to the onload event handler being injected into the iframe HTML tag.

Usually, it would not be possible to inject bbcodes within other bbcodes as regex filters are in place that prevent such attacks. However, the callback method that is reponsible for rendering video bbcodes calls urldecode() on the URL of the video that should be embedded (e.g. This is shown in the following code snippet:


function mycode_parse_video($video, $url)
1385 {
1386 global $templates;
1388 if(empty($video) || empty($url))
1389return "";
1391 $parsed_url = @parse_url(urldecode($url));
1393 // [...]

The fact that the video URL is urldecoded allows to bypass the regex protection and inject a url bbcode as depicted above by URL encoding it. This then leads to an onload event handler being injected into the <iframe> tag. This event handler triggers as soon as the page within the iframe is loaded, thus no user interaction is required to trigger malicious JavaScript code.


Simon Scannell (RIPS Techonologies)


MyBB 1.8.21 Released — Security & Maintenance Release

MyBB <= 1.8.20: From Stored XSS to RCE

MyBB 1.8.21



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.