An authorization bypass security hole has been addressed

Oct 9, 2013 09:29 GMT  ·  By

MyBB 1.6.11 has been released. The latest version, considered a maintenance and security release, addresses a total of 5 vulnerabilities and 65 other issues that impact the functionality of the forum development software.

According to the developers, the security holes include a high-risk authorization bypass vulnerability within the PM system, and a medium risk issue that could lead to the hijacking of accounts without login keys. The other three vulnerabilities are considered low-risk.

The security flaws have been found by Philly, StefanT and MyBB Quality Assurance Specialist Nathan Malcolm.

Malcolm provided some details regarding the high-risk vulnerability, the one identified by Philly.

Philly found that a user could register on a forum with three “emoji” characters. This led to the user becoming “unregistered.”

“The technical explanation is MySQL’s UTF8 implementation only supports up to 3 bytes per character. When someone tries to insert a string containing a 4 byte utf8 character in to the database, MySQL truncates the string immediately before the 4 byte character,” Malcolm explained.

“Not only does this affect security, it affects the user’s experience as half their post or private message could be lost without them knowing why. The vulnerability was exploited by a user registering on a forum with a username consisting of only 4 byte UTF8 characters,” he added.

“As I explained before, MySQL truncates the string before the first occurrence of a 4 byte UTF8 character which led to the username column becoming empty. When someone sent a PM it would be automatically sent to the nameless user and they would be able to read it.”

Users are advised to update their MyBB installations as soon as possible. Those who come across security vulnerabilities in MyBB are advised to report them via the Contact Us page or on the Private Inquiries forum.

Download MyBB