Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

[myimei]MyBB1.0.3~moderation.php~SqlInject while merging posts
From: addmimistrator () gmail com
Date: 7 Feb 2006 22:56:23 -0000
ORIGINAL ADVISORY :
http://myimei.com/security/2006-02-07/mybb103moderationphpsqlinject-while-merging-posts.html
——————-Summary—————-
Software: MyBB
Sowtware’s Web Site: http://www.mybboard.com
Versions: 1.0.3
Class: Remote
Status: Unpatched
Exploit: Available
Discovered by: imei addmimistrator
Risk Level: high
—————–Description—————
There is a security bug in MyBB 1.0.3 software (latest version fully patched) file moderation.php that allows attacker 
performe an SQLINJECTION attack. bug is in result of poor checking quotes for “posts” input variable. Attacker with 
enough permissions in moderation and merging posts can perform any one of UPDATE / DELETE / and SELECT query on db.
————–Exploit———————-
mybb/moderation.php?posts=[firstpid]|[secondpid]‘[SQL]
&tid=[containertid]&action=do_multimergeposts&sep=hr
————–Solution———————
Not Available
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator[4]gmail[O]com
www.myimei.com
security.myimei.com
original advis:
http://myimei.com/security/2006-02-07/mybb103moderationphpsqlinject-while-merging-posts.html

  By Date           By Thread  

Current thread:
  • [myimei]MyBB1.0.3~moderation.php~SqlInject while merging posts addmimistrator (Feb 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]