[Pushed] Memcached and Permissions Bug
#1
I found a potential security bug. If you use MyBB Group Permissions (for example a private sub forum for moderators) and use Memcached as the cache handler, upon reboot on your server the permissions go away and it’s a public forum until you manually rebuild the cache. Ideally MyBB will check for permission data and rebuild the cache as necessary. Thoughts?
Software Engineer specializing in C# Program Development
Reply
#2
Sorry, I made a quick conclusion but not correct.

If MyBB is using a cache handler other than database (db) and the cache engine get lost on some cache keys, it will fall back to query on the datacache table in database. There won't be any problem if this table doesn't lose any essential records. But the table does lose some essential records, for example forumpermissions, only rebuild the cache from AdminCP will not bring it back, meaning the forum permissions won't get right.

So, MyBB's part seems doing fine. I suppose there might be something wrong with your Memcached server. I haven't used any other cache handler other than the database, so let me have a guess if your Memcached is serving invalid data upon a restart.

I did some search in code and seems what I've said is not simply similar to your problem, but still exists:
Quote:It's not dedicated to Memcached. Using db, for example, as a cache handler, missing forumpermissions record from the database will caused the issue, too. And looks like rebuild cache in AdminCP only reload existing cache but not really *rebuild* missing ones.

Seems MyBB DOES NOT DO integrity check on cache... It tries to work if some caches are lost, until all are lost, it will stop working. It didn't become a problem to me before you mention the forumpermissions's lost in cache. I was thinking it should be the forum owner's responsibility to maintain the database integrity, because I only have used db as cache handler.

Update post.

Found this: https://pecl.php.net/package-info.php?pa...on=2.0.0b1
Quote:Release notes
Version 2.0.0b1
(beta) - Change the return value for non-existing keys to be NULL rather than
'false', affects simple get only
Not sure if this matters. MyBB checks a cached entry from Memcached if it is === false. If it is not === false, the value returned by Memcached is used; otherwise, MyBB will fetch that from database. However, PHP document says that action will Returns the value stored in the cache or FALSE otherwise.

I'm confused. Seems this is the culprit but I'm not sure. Could let anyone who uses Memcached to test it.
Could be wrong but worth a try.
Reply
#3
I did some research while this thread was missing Big Grin and have created an issue in GitHub, see it here https://github.com/mybb/mybb/issues/3793 . It's pretty long because MyBB currently relies on "cache" massively and several other problems are involved.

It should be a bug of MyBB for OP's problem. Anyone who's using an external cache store might want to read in that GitHub issue, I've given a temporary mitigation to it in that issue. The mitigation should be working without involving any new security problem, but use it at your own risk. Change the core file with caution.
Could be wrong but worth a try.
Reply
#4
I keep running into the issue that OP mentioned as well. It is very annoying as the moderators-only forums are made public after server reboots, especially when our server is rebooted unplanned by the host and we notice it hours later.
Reply
#5
(2020-11-03, 01:49 AM)babak Wrote: I keep running into the issue that OP mentioned as well. It is very annoying as the moderators-only forums are made public after server reboots, especially when our server is rebooted unplanned by the host and we notice it hours later.

For the time being, maybe you could run the following script as a cron job, periodically or whenever your server reboots:
https://community.mybb.com/thread-229912...pid1357497
Could be wrong but worth a try.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)