SB2018062616 - Multiple vulnerabilities in MyBB

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: CVE-2018-1000502)

The vulnerability allows a remote privileged user to execute arbitrary code.

MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15.

2) Improper Privilege Management (CVE-ID: CVE-2018-1000503)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15.

Remediation

Install update from vendor's website.

References

• http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html
• https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/