MyBB Local File Inclusion Vulnerability in Upgrade Component

A local file inclusion vulnerability has been identified in MyBB forum software versions prior to 1.8.39. The issue arises in the upgrade component, where user input is not properly validated. This flaw allows attackers to craft specific parameter values to include local files. Exploitation requires the installer to be unlocked and the upgrade script to be accessible, either by reinstalling the forum or by being authenticated as a forum administrator.

Impact

Exploitation of this vulnerability allows for local file inclusion, which could lead to the execution of arbitrary PHP code or the disclosure of sensitive information from the server.

Reproduction

To reproduce this vulnerability, first ensure that the MyBB installer is unlocked by removing the 'install/lock' file. Then, access the upgrade script through 'install/index.php' if the forum has not been installed yet, or by logging in as a forum administrator. Once the upgrade script is accessible, the vulnerability can be exploited by sending a request with a crafted 'action' parameter that exploits the lack of input validation.

Remediation

Users can upgrade to MyBB version 1.8.39, which addresses this vulnerability. Instructions for upgrading are available in the MyBB upgrade documentation.