← Signals
- mybb
- privilege-escalation
- php
- exploitarium
news
MyBB 1.8.40 Limited ACP to Full Administrator
ACP user-manager permission alone can create gid=4 Administrator accounts — verify_usergroup() accepts any group.
Summary
ACP user-manager permission alone can create gid=4 Administrator accounts — verify_usergroup() accepts any group. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | MyBB 1.8.40 |
| Primitive | Unvalidated usergroup POST in Admin CP add-user flow |
| Impact | Limited ACP user module access → full board administration. |
Attack Chain
ACP session with user-users=1 → POST usergroup=4 → new full admin account
Mitigation
Restrict ACP user management; patch when vendor fix ships; audit unexpected Administrator accounts.