MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php.
MyBB (MyBulletinBoard) versions prior to 1.4.12 are vulnerable to a denial-of-service (DoS) attack. By exploiting a flaw in how group join requests are handled, attackers can exhaust server resources, rendering the forum unavailable to legitimate users. This vulnerability allows attackers to leverage guest access to submit a flood of join requests for moderated groups.
Step 1: Guest Access: An attacker, without needing an account, accesses the MyBB forum as a guest.
Step 2: Request Crafting: The attacker identifies moderated groups within the forum.
Step 3: Payload Generation: The attacker crafts a malicious HTTP request, targeting usercp.php or managegroup.php, specifically the group join functionality.
Step 4: Malicious uid Injection: The attacker injects a large number of join requests, each with a potentially invalid or non-existent uid value, or a large number of requests with the same valid uid value.
Step 5: Request Submission: The attacker submits the crafted requests to the MyBB server.
Step 6: Resource Exhaustion: The MyBB server processes the requests, attempting to validate and process the join requests. Due to the lack of proper input validation and rate limiting, the server consumes excessive resources.
Step 7: Denial of Service: The server's resources are exhausted, leading to a DoS condition, making the forum inaccessible to legitimate users.
The vulnerability stems from a lack of proper input validation and authorization checks when processing group join requests, specifically within the usercp.php and managegroup.php scripts. The software fails to adequately restrict the uid (user ID) values used in these requests. An attacker can craft malicious requests, potentially including a large number of requests with invalid or non-existent uid values. The server then attempts to process these requests, consuming resources (CPU, memory, database connections) in the process. This resource exhaustion leads to a DoS condition, preventing legitimate users from accessing the forum. The core issue is the absence of a rate limit or other mechanism to prevent an excessive number of join requests from a single source, coupled with the lack of validation on the uid parameter.