what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MyBB 1.4.11 Password Reset

MyBB 1.4.11 Password Reset
Posted Apr 14, 2010
Authored by Stefan Esser

MyBB versions 1.4.11 and below suffer from a password reset vulnerability.

tags | advisory
SHA-256 | eebecf174ba3f29f1d553d050fbff4e47f7d1b2b733b9981a342465b41506447

MyBB 1.4.11 Password Reset

Change Mirror Download

SektionEins GmbH

-= Security Advisory =-

Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]

Application: MyBB <= 1.4.11
Severity: An email injection vulnerability in MyBB allows injecting
e.g. BCC mail headers into password reset emails. This
allows an attacker to takeover accounts via the password
reset functionality.
Risk: Critical
Vendor Status: MyBB 1.4.12 was released which fixes this vulnerability


Quote from http://www.mybboard.net
"MyBB is a discussion board that has been around for a while; it has
evolved from other bulletin boards into the forum package it is
today. Therefore, it is a professional and efficient discussion
board, developed by an active team of developers. The MyBB history
has been recorded and is available for the interested to read.
You can also read more about the MyBB team and why they develop
MyBB in their spare time. We also like to highlight the most
active and contributing fansites of the MyBB community."

During evaluation of various password reset implementations it was
discovered that MyBB contains an email injection vulnerability that
allows arbitrary account takeover by injecting BCC: email headers
through a simple URL manipulation.

When triggering the password reset functionality via such a
manipulated URL MyBB will send a copy of the secret password reset
email to wherever the injected BCC: header points to.


Inside the set_common_header() method of the MailHandler class the
following code is responsible for adding several common headers to
all outgoing emails. This includes all password reset emails.

$this->headers .= "Message-ID: <{$msg_id}>{$this->delimiter}";
$this->headers .= "Content-Transfer-Encoding: 8bit{$this->delimiter}";
$this->headers .= "X-Priority: 3{$this->delimiter}";
$this->headers .= "X-MSMail-Priority: Normal{$this->delimiter}";
$this->headers .= "X-Mailer: MyBB{$this->delimiter}";
$this->headers .= "X-MyBB-Script:
$this->headers .= "MIME-Version: 1.0{$this->delimiter}";

The code above adds a "X-MyBB-Script" header to all outgoing emails,
which contains the content of the $_SERVER['PHP_SELF'] variable.
The problem here is that PHP_SELF does not only contain the path
relative to the document root directory, but also extensions like
the Apache PATH_INFO. Therefore it is controllable by malicious

By calling a MyBB PHP script like


it is possible to add arbitrary BCC headers to all emails sent by
this script. If the same attack is used against the password reset
functionality an attacker is able to grab a copy of the secret
password reset token and the randomly generated password, which
results in an account takeover.

This vulnerability was fixed by the vendor by removing the code that
adds the X-MyBB-Script header to the email.

Furthermore it should be noted that users of the Suhosin Extension
version 0.9.30 or newer are safe from this class of attacks because
several unsafe characters like < > " ' \r and \n are automatically
replaced by a ? character within PHP_SELF.

Proof of Concept:

SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.

Disclosure Timeline:

31. March 2010 - Notified the MyBB devs via security contact form
13. April 2010 - MyBB developers released MyBB 1.4.12
13. April 2010 - Public Disclosure


It is recommended to upgrade to the latest version of MyBB.

Grab your copy at:

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
not assigned a name to this vulnerability.

Month of PHP Security:

If you have a non-public vulnerability like this one, then don't
hesitate to
submit it to the Month of PHP Security. Further information at



pub 1024D/15ABDA78 2004-10-17 Stefan Esser
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78

Copyright 2010 SektionEins GmbH. All rights reserved.
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By