Greetings,

This blog post will be the first of many blog posts designed to demonstrate low-hanging fruits we identified in applications that we performed security audits on. While we keep the vast majority of our exploit development and research private, we are happy to release some of our lower-impact findings, along with explanations as to how they work. Anything we decide isn’t worthwhile to keep private will be added to a short blog post detailing the security issue.

In this case, the application we were testing is MyBB (the open-source and widely-used forum software) – this was tested locally on a VPS configured with LAMP-Stack, and, of course, MyBB installed onto the HTTP daemon. Additionally, this was tested against a live website in the wild (with permission) just as an extra step to confirm that the vulnerability truly does work.

The vulnerability in question is very low-impact, although it would allow an attacker to access premium (and often paid) content, without needing to unlock the content. MyBB has a feature in which users can hide links or certain thread content, for a multitude of reasons. Sometimes the hidden content is viewable just by registering an account, as opposed to viewing it as a guest. Other times, a password is requierd, or additionally users may purchase “credits” with real money, and then use said credits to unlock the hidden content. This flaw allows an attacker to view the hidden content in all instances, thus circumventing the locking of the content.

MyBB has a feature allowing content to be imported to RSS feed readers. Content that is imported includes the likes of thread titles and post content. An attacker can abuse this feature to return an XML document designed to be interpreted via the RSS reader. The post content stored within the XML CDATA sections

In order to exploit this vulnerability, the steps are extremely trivial:

  • Attacker navigates to http://example.com/syndication.php
  • Attacker addts the ?limit= HTTP GET param to syndication.php
  • Attacker chooses the size (integer value) for the ‘limit’ GET param
  • If intended results aren’t displayed, increase integer value for the ‘limit’ param

The value of the ‘limit’ parameter is use to determine how many results should be displayed on each page. So, the smaller the value, the less results will be displayed. In the displayed results, there are CDATA blocks displaying the post content within threads. BBCODE is not applied here and is rather shown in plaintext, so, for example, [url=’http://host.com’%5Dclick me[/url] would not be a hyperlink, due to the fact it’s within the CDATA block.

An attacker can load as many threads as they want via modification of the value for ‘limit’, and then they can check the thread contents outputted in the CDATA blocks for the [hidden content] BBCode tag – From there they can simply view the hyperlink that would normally be hidden. On other forums it can also be [hidden] as opposed to [hidden content] – note that this works with [spoiler] tags too.

I’ll demonstrate a live example below. Take raidforums.com – in order to unlock hidden thread content as a raidforums user, credits need to be used up. Users start with a small number of credits, and once those initial credits are used up, more credits need to be purchased using real cash in order to then be able to unlock the hidden content.

Here’s what is displayed when hidden content is embedded into a forum thread:

Although it states that you must register or login to view the content, the case with this website is that you must register, login, and also use credits in order to unlock the content. That being said, another use for this on different sites is the ability to view thread contents even if registrations are disabled or they’re invite-only.

By navigating to syndication.php?limit=1 and searching for “[hidden content]” you can see that there is only one instance containing hidden content:

However, by increasing the value of the ‘limit’ parameter, you are able to see more threads containing hidden content. I will now change the ‘limit’ value from ‘1’ to ’50’ like so: https://example.com/syndication.php?limit=50

Now, after changing the value, you can see that there are 24 instances of hidden content this time. You can even fine-tune your syndication searches furthermore, to include specific threads from specific sections, making this great for OSINT.

Below is an example of hidden content wherein the ‘hidden’ URL can be publicly viewed through MyBB’s RSS feed script aka syndication.php:

That’s all for now. Just dropping the boring stuff, while we save our main MyBB research for more important purposes. Regardless, hopefully some of you will have fun with this trick. Just please don’t abuse it.

That’s all folks!