MyBB Server-Side Request Forgery Vulnerability Allowing Inadvertent Data Disclosure

A server-side request forgery (SSRF) vulnerability has been identified in MyBB version 1.8.38. This issue allows remote attackers to access sensitive information by exploiting the Add Mycode function. The vulnerability arises from improper handling of requests to private hosts and IP addresses, which could be manipulated to disclose confidential data.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as MyBB's internal operation tokens, database exports, error logs, and configuration files, according to the MyBB security guide.

Remediation

MyBB board administrators are advised to update their configuration files to limit access to private hosts and IP addresses. This can be done by adding disallowed remote addresses and hosts to the MyBB configuration file, which supports wildcards and CIDR notation. Instructions for this can be found in the MyBB documentation.