MyBB 1.6.4 Backdoor PHP Remote Code Execution

high Nessus Plugin ID 56512

Synopsis

The remote web server hosts a PHP application that is affected by a remote code execution vulnerability.

Description

A version of MyBB 1.6.4 with a backdoor was detected on the remote host. The MyBB source code repository was compromised, and backdoor code was added to allow arbitrary PHP execution. The backdoor is present in MyBB 1.6.4 downloaded on or before October 6, 2011. A remote, unauthenticated attacker can exploit this to execute arbitrary PHP code on the affected host, subject to the privileges under which the web server runs.

Solution

Install the latest version of MyBB 1.6.4. Alternatively, apply the patch referenced in the vendor advisory.

See Also

https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/

http://blog.mybb.com/wp-content/uploads/2011/10/mybb_1604_patches.txt

Plugin Details

Severity: High

ID: 56512

File Name: mybb_collapse_backdoor.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 10/14/2011

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

CVSS Score Rationale: Score based on analysis of the vulnerability.

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: manual

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Required KB Items: www/PHP, installed_sw/MyBB

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/6/2011

Vulnerability Publication Date: 10/6/2011

Exploitable With

Metasploit (myBB 1.6.4 Backdoor Arbitrary Command Execution)

Elliot (MyBB 1.6.4 RCE)

Reference Information

BID: 49993

SECUNIA: 46300