CVE-2022-24734
📋 TL;DR
This vulnerability allows authenticated administrators with settings management permissions to inject PHP code into MyBB forum settings, leading to remote code execution. It affects MyBB versions before 1.8.30 where an attacker with admin access can execute arbitrary PHP code on the server.
💻 Affected Systems
- MyBB
📦 What is this software?
Mybb by Mybb
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing data theft, malware deployment, lateral movement, and persistent backdoor installation.
Likely Case
Attacker with stolen admin credentials gains full control over the forum and underlying server to steal data or deploy ransomware.
If Mitigated
Limited to administrators who already have high privileges, but could enable privilege escalation if combined with other vulnerabilities.
🎯 Exploit Status
Exploit requires admin credentials but is straightforward once authenticated. Multiple public exploit examples exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.30
Vendor Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f
Restart Required: No
Instructions:
1. Backup your MyBB installation and database. 2. Download MyBB 1.8.30 from mybb.com. 3. Replace all files except inc/config.php and uploads/ directory. 4. Run the upgrade script if upgrading from older versions.
🔧 Temporary Workarounds
Remove settings management permissions
allTemporarily revoke 'Can manage settings?' permission from all admin accounts until patching.
🧯 If You Can't Patch
- Implement strict access controls and MFA for all admin accounts
- Monitor admin activity logs for suspicious settings modifications
🔍 How to Verify
Check if Vulnerable:
Check MyBB version in Admin CP dashboard or inc/version.php file for version number.Check Version:
grep -i 'mybb_version' inc/version.phpVerify Fix Applied:
Confirm version is 1.8.30 or later in Admin CP or version.php file.📡 Detection & Monitoring
Log Indicators:
- Admin CP settings modifications, especially PHP type settings
- Unusual PHP execution in settings context
Network Indicators:
- Admin CP access from unusual IP addresses
- POST requests to settings management endpoints
SIEM Query:
source="mybb_logs" AND (event="settings_modified" OR event="php_execution")🔗 References
- http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html
- https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1
- https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f
- https://mybb.com/versions/1.8.30/
- https://www.zerodayinitiative.com/advisories/ZDI-22-503/
- http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html
- https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1
- https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f
- https://mybb.com/versions/1.8.30/
- https://www.zerodayinitiative.com/advisories/ZDI-22-503/
