MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page.
MyBB versions prior to 1.4.12 are vulnerable to an information disclosure flaw. This vulnerability allows attackers to read hidden thread titles from the Latest Threads block on the portal page, potentially revealing sensitive information about the forum's content and user activity, leading to targeted attacks and data breaches.
Step 1: Reconnaissance: The attacker identifies a MyBB forum instance running a vulnerable version (pre-1.4.12). Step 2: Access Portal Page: The attacker navigates to the portal page of the MyBB forum. Step 3: Observe Latest Threads Block: The attacker observes the Latest Threads block, which displays recent thread titles. Step 4: Identify Hidden Threads: The attacker notices that the Latest Threads block displays titles of threads that are marked as hidden within a visible forum. Step 5: Information Disclosure: The attacker gains knowledge of the existence and titles of hidden threads, potentially revealing sensitive information about forum content and user activity.
The vulnerability stems from an improper access control check within the MyBB portal page's Latest Threads block. The code fails to adequately filter hidden threads, even when the forum containing those threads is visible. This allows unauthenticated users to view the titles of threads they should not have access to. The root cause is a logic error in the SQL query or the subsequent data processing that retrieves and displays thread titles, failing to respect the visibility settings of individual threads within a forum. Specifically, the query likely retrieves thread titles based on forum ID and thread status without considering the 'hidden' flag on individual threads. This leads to the disclosure of private information.