CVE-2024-23336

Incomplete disallowed remote addresses list in MyBB

CVSS 5 MEDIUMEPSS 0.5%CWE-184 CWE-918

Em resumo

O filtro de segurança do MyBB não bloqueia todos os endereços locais (127.0.0.0/8), permitindo que invasores usem o fórum para fazer requisições ao próprio servidor e acessar dados ou serviços internos sensíveis.

Detalhe técnico

Vulnerabilidade de SSRF (Server-Side Request Forgery) no MyBB causada por filtro incompleto na configuração disallowed_remote_addresses. A lista padrão contém apenas 127.0.0.1 e omite o bloco CIDR completo 127.0.0.0/8, permitindo que atacantes remotos usem funcionalidades de busca de conteúdo remoto para alvejar serviços internos no intervalo localhost sem segmentação adequada.

Resumo gerado e traduzido por IA a partir da descrição oficial.

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Produtos afetados

mybb · mybb

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://docs.mybb.com/1.8/administration/configuration-file https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630 https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h https://mybb.com/versions/1.8.38