Allele Security Alert
ASA-2019-00375
Identifier(s)
ASA-2019-00375, CVE-2019-12830
Title
Stored Cross-Site Scripting (XSS) through video bbcode
Vendor(s)
MyBB Group
Product(s)
MyBB
Affected version(s)
MyBB version prior to 1.8.21
Fixed version(s)
MyBB version 1.8.21 or later
Proof of concept
Unknown
Description
There is a Stored Cross-Site Scripting (XSS) vulnerability that occurred due to a parsing error in posts and private messages in MyBB 1.8.20 and prior versions.
Technical details
MyBB has a 3 step process to parse and render threads, posts and private messages. This process’ purpose is to sanitize user input and render so called mycodes or bbcodes. Bbcodes are a simple way for forum users to embed for example images, links and videos in posts.
The process begins by simply escaping all HTML tags and double quotes. It will then convert all video mycodes into iframe tags that embed videos from e.g. YouTube. The reason for video bbcodes being rendered in a single step is because they can be disabled by administrators (they are enabled by default). Finally, it will convert all other mycodes, such as url, quote and email into HTML markup.
The fact that video bbcodes were converted to HTML markup in a different step than all other bbcodes lead to the idea that it might be possible to craft a video bbcode that results in HTML markup that contains other shortcodes in it’s attributes.
The idea is that MyBB will then replace the url bbcode within the iframe’s src with more HTML markup containing double quotes (“), thus corrupting the HTML and leading to an attribute injection.
As can be seen, the src attribute of the iframe is then closed by the injected href attribute and it’s quote. This now leads to the onload event handler being injected into the iframe HTML tag.
Usually, it would not be possible to inject bbcodes within other bbcodes as regex filters are in place that prevent such attacks. However, the callback method that is reponsible for rendering video bbcodes calls urldecode() on the URL of the video that should be embedded (e.g. youtube.com/xyz). This is shown in the following code snippet:
inc/class_parser.php
function mycode_parse_video($video, $url)
1385 {
1386 global $templates;
1387
1388 if(empty($video) || empty($url))
1389return "";
1390
1391 $parsed_url = @parse_url(urldecode($url));
1392
1393 // [...]
1394
The fact that the video URL is urldecoded allows to bypass the regex protection and inject a url bbcode as depicted above by URL encoding it. This then leads to an onload event handler being injected into the <iframe> tag. This event handler triggers as soon as the page within the iframe is loaded, thus no user interaction is required to trigger malicious JavaScript code.
Credits
Simon Scannell (RIPS Techonologies)
Reference(s)
MyBB 1.8.21 Released — Security & Maintenance Release
https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/
MyBB <= 1.8.20: From Stored XSS to RCE
https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/
MyBB 1.8.21
https://github.com/mybb/mybb/commit/44fc01f723b122be1bc8daaca324e29b690901d6
CVE-2019-12830
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12830
CVE-2019-12830
https://nvd.nist.gov/vuln/detail/CVE-2019-12830
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 23, 2019