The developers of the free and open-source forum software MyBB have shared some data on the vulnerabilities patched in their product over the past years.
According to MyBB developers, 103 vulnerabilities have been patched in the 1.8.x branch since its release in 2014. Nearly three quarters of these flaws were reported through MyBB’s security program and 19 percent were discovered internally. The vulnerabilities were patched across 19 security releases.
In total, the developers revealed, more than 270 vulnerabilities were found and patched in MyBB since the release of version 1.0 in 2005.
A total of 50 people discovered vulnerabilities in MyBB 1.8, and 40% of them reported two or more valid issues. Vulnerabilities found in MyBB can be reported through the organization’s Private Inquiries forum, which has been used to submit most reports, and email.
As for the types of security holes found in MyBB 1.8, developers said the most common was cross-site scripting (XSS), with 49 cases of persistent, reflected and DOM-based XSS. The second most common types of vulnerabilities were improper access control and SQL injection, with 7 cases each.
Other types of flaws included code injection, information exposure, cross-site request forgery (CSRF), path traversal, improper input validation, small space of random values, and server-side request forgery (SSRF).
In terms of risk, only a dozen vulnerabilities were classified as high risk; 33 were rated medium risk and 58 low risk.
According to MyBB, 49 flaws could be exploited by low-privileged users, 22 required moderator or user permissions, and 32 required admin permissions for successful exploitation.
“A rundown of recently remediated weaknesses suggest that MyBB forums with a common configuration, running on version 1.8.20 or older, can be breached with minimal interaction of unsuspecting forum administrators, through the exploitation of an XSS & Code Injection weakness,” MyBB developers explained.
“Moreover, boards running 1.8.18 or older may be damaged with no interaction whatsoever by attackers escalating permissions of their own accounts to the administrator user group, as a result of an especially fatal SQL Injection vulnerability within the sign-up process. These points of peak exposure underline the importance of keeping live MyBB forums easy to update (e.g. by avoiding core file modifications, in favor of plugin hooks) and performing actual upgrades as soon as they’re released,” they added.
MyBB believes that changes made in the upcoming 1.9 version and general security improvements in web browsers will lead to fewer vulnerabilities in the future.