EUVD-2025-16668
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
Analysis
MyBB versions prior to 1.8.39 contain a local file inclusion (LFI) vulnerability in the upgrade component due to improper input validation (CWE-22). This vulnerability allows authenticated administrators or unauthenticated attackers with access to an unlocked installer to read arbitrary files from the server filesystem. The vulnerability requires either the installer to be accessible via re-installation or the attacker to have administrative privileges, significantly limiting real-world exploitability despite the CVSS 7.2 score.
Technical Context
MyBB is a PHP-based forum software platform. The vulnerability exists in the upgrade/installation component (`install/index.php`) which fails to properly sanitize user-supplied parameters before using them in file inclusion operations, leading to path traversal and local file inclusion (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The root cause is insufficient input validation in file path handling, allowing attackers to manipulate parameters to include arbitrary files outside the intended directory structure. The vulnerability is contingent upon the `install/lock` file being absent (indicating an unlocked installer state), suggesting the developers intended to restrict this attack surface post-installation but failed to implement proper controls during the upgrade process.
Affected Products
MyBB forum software versions prior to 1.8.39 are affected. Specific vulnerable versions include: 1.8.38 and all earlier 1.8.x releases, and potentially earlier major version lines (1.6.x, 1.7.x) if they share identical upgrade component code. The vulnerability manifests when: (1) The `install/lock` file is absent; (2) The upgrade script is accessible via `install/index.php`; (3) Either the forum has not yet been installed OR the attacker is authenticated as a forum administrator. Common CPE representation: cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:* (versions <1.8.39). Remediation version: MyBB 1.8.39 and later.
Remediation
1. **Immediate patch**: Upgrade MyBB to version 1.8.39 or later, which resolves the input validation issue in the upgrade component. 2. **For unpatched systems pending upgrade**: (a) Remove or rename the `install/` directory entirely post-deployment to prevent any access to installation scripts; (b) Restrict access to `install/index.php` via web server configuration (.htaccess for Apache, nginx location blocks) using IP whitelisting or authentication; (c) Ensure `install/lock` file exists and is properly protected with restrictive file permissions (644 or similar); (d) Implement authentication/authorization checks at the web server level for any installer-related paths; (e) Monitor access logs for suspicious requests to `install/index.php`. 3. **Long-term**: Deploy automated security scanning to detect presence of installer files in production; implement configuration management to enforce removal of installer directories post-deployment.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today