ASA-2019-00376 – MyBB: Remote Code Execution (RCE) in Admin panel via File Write

Allele Security Alert



ASA-2019-00376, CVE-2019-12831


Remote Code Execution (RCE) in Admin panel via File Write


MyBB Group



Affected version(s)

MyBB versions prior to 1.8.21

Fixed version(s)

MyBB version 1.8.21 or later

Proof of concept



There is an authenticated Remote Code Execution (RCE) vulnerability that can be exploited by administrators of a forum.

Technical details

Administrators of a MyBB forum can manage stylesheets of the active theme of their installation within the Admin Panel. They can also create new stylesheet files on the server and choose the filename.

An obvious File Write vulnerability would occur if an attacker in the role of an administrator account could simply create a new stylesheet file and call it for example shell.php.

However, a quick investigation of the source code behind this functionality revealed that only the .css file extension was allowed:


    foreach($theme['stylesheets']['stylesheet'] as $stylesheet) {
263 if(substr($stylesheet['attributes']['name'], -4) != ".css"){
264 continue;

What captured our attention was what happened after the extension had been checked. Instead of simply creating the stylesheet file in the file system, MyBB first stores the name of the stylesheet file, as well as the contents in the MySQL database powering the board. When we looked at the mybb_themestylesheets table and how it was structured, we noticed something interesting: the name column which stores the filename of a newly imported stylesheet is defined as a varchar column with a maximum of 30 characters.

Table definition of mybb_themestylesheets
    MariaDB [mybb]> DESC mybb_themestylesheets;
1    +--------------+----------------------+------+-----+---------+----------------+
2    | Field | Type | Null | Key | Default | Extra |
3    +--------------+----------------------+------+-----+---------+----------------+
4    | sid | int(10) unsigned | NO | PRI | NULL | auto_increment |
5    | name | varchar(30) | NO | | | |
6    [...]
7    | stylesheet | longtext | NO | | NULL | |
8    [...]
9    +--------------+----------------------+------+-----+---------+----------------+

We then noticed that the length of a stylesheet filename is not checked when imported through an XML file, resulting in attackers being able to trick MyBB into inserting a filename with more than the allowed 30 characters. MySQL’s default behavior on many systems is to then truncate the filename to 30 characters.

An attacker could abuse this behavior by setting a filename to for example aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css. This filename is 34 characters long. Since it ends with the .css extension, it passes the security checks of MyBB. However, when that string is then inserted into the database, it is truncated to 30 characters and onlyaaaaaaaaaaaaaaaaaaaaaaaaaa.php remains stored in the database.

An attacker can then use the admin panel to generate the newly imported stylesheet files and write them to the file system. This would create a PHP shell within the cache directory.


Simon Scannell (RIPS Techonologies)


MyBB 1.8.21 Released — Security & Maintenance Release

MyBB <= 1.8.20: From Stored XSS to RCE

MyBB 1.8.21



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.