CVE-2024-23336
Incomplete disallowed remote addresses list in MyBB
In short
MyBB's security filter doesn't block all localhost addresses (127.0.0.0/8), allowing attackers to use the forum to make requests to the server itself, potentially accessing sensitive internal data or services.
Technical detail
SSRF vulnerability in MyBB due to incomplete IPv4 loopback range filtering in the disallowed_remote_addresses configuration. The default blocklist includes only 127.0.0.1 but omits the entire 127.0.0.0/8 CIDR block, allowing remote attackers to craft requests via forum features that fetch remote content, targeting internal services on the localhost range without proper network segmentation.
Summary generated and translated by AI from the official description.
MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected products
mybb · mybbWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →