Up to the latest version of MyBB is vulnerable to remote code execution due to the allowing admin to set custom mail parameters used in
Also, it should be noted that there is no default way that you can get code execution in MyBB such as installing plugins or etc (even by admin users).
sendmail binary should exist and the www-data user should have permission to send mail through it that is the default configuration of most installations since it’s the easiest way that makes MyBB able to send reset password links and etc.
Why did not report it to the vendor?
I just was reading some ZDI advisories I saw someone reported a MyBB authenticated RCE to them.
So I decided to work on MyBB to find another RCE as admin.
However, they did not accept it due to the high level of admin access required.
I asked them why the previous report that require the same privilege was accepted and their response:
So I decided to write this article instead of reporting it directly to the vendor.
PHP mail function for RCE
the PHP mail function is an interface for sending emails it will actually invoke the
sendmail interface installed on the system.
based on the official PHP documentation for the mail function it will take 5 parameters:
mail( string $to, string $subject, string $message, array|string $additional_headers = , string $additional_params = "" ): bool
for us, the interesting one is the additional_params.
additional_paramsparameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the
sendmail_pathconfiguration setting. For example, this can be used to set the envelope sender address when using sendmail with the
This parameter is escaped by escapeshellcmd() internally to prevent command execution. escapeshellcmd() prevents command execution, but allows to add additional parameters. For security reasons, it is recommended for the user to sanitize this parameter to avoid adding unwanted parameters to the shell command.
it allows us to control the parameters of executing
sendmail command and also uses
escapeshellcmd to prevent command injection.
escapeshellcmd does not prevent argument injection and as excepted behavior of controlling parameters, it should not prevent this.
As an attacker, we could abuse it for example by passing
-X parameters to define a file to write logs and control the file path and extension by this way if we find a way to inject our custom code into the log file we could write a web shell in the server.
Root cause analysis
MyBB allows the admin to set Mail handlers and also additional parameters and when we set them it will update the
config file and will write our config without sanitization to settings.
When MyBB is going to send an email if the admin sets the usage mail it will call send function of PhpMail class defined in inc/mailhandlers/php.php and if PHP safe mode sets to off (default installation of PHP) it will use the additional parameters defined by us:
So in order to write a web shell first, we need to know the document root path and find a way to inject our own PHP code into the log file.
MyBB allows us to call a phpinfo and see its result so we can easily send a simple request to
admin/index.php?module=tools-php_info&action=phpinfo and from its result, we can find the document root path to write our web shell.
Also, we can add a new stylesheet and write custom CSS files in
cache/themes/theme2 so we can trigger the file write by :
- Find the webroot path from
- Write our PHP code to a CSS file
- set mail parameters to
-C <web_root>/cache/themes/theme2/rce.css -X <web_root>/rce.php
- trigger call of
rce.cssis not a valid config file it will result in an error and write its content to the log file that is our webshell.