Hacking MYBB with CSRF

by Adrian Birsan
Oct. 7, 2017 0 comments INFOSEC Institute Pen Testing & Audits

I chose an admin-panel plugin, meaning, normally, only the admin will be able to access its functionalities. This is why the exploitation of the vulnerability is quite tricky though. Owing to the fact that only the admin can access the plugin, we must force him to do so to be able to inject payloads. And there’s only one way to do that: Cross Site Request Forgery or CSRF. As a popular forum CMS, MyBB obviously takes measures against CSRF vulnerabilities, and this is true in the MyBB core. But one sand of grain can disturb this mechanism: the anti-CSRF token only checks POST variables, whereas the $mybb->input can be filled with GET variables. Thus, a GET request with user input in the URL can easily pass through the anti-CSRF security.