Bugtraq: [myimei]MyBB 1.0.3~private.php~multiple SqlInjection

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

[myimei]MyBB 1.0.3~private.php~multiple SqlInjection

From: addmimistrator () gmail com
Date: 15 Feb 2006 19:01:10 -0000

\>>>>>>>>ORIGINAL ADVISORY<<<<<<<<<<</
http://myimei.com/security/2006-02-11/mybb-103privatephpmultiple-sqlinjection.html

Vendor Credit:http://community.mybboard.net/showthread.php?tid=6777

-Summary-
Software: MyBB
Sowtwares Web Site: http://www.mybboard.com
Versions: 1.0.3
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: <strong>imei addmimistrator</strong>
Risk Level: <strong>high</strong>
Description
There is some security bug in MyBB 1.0.3 software (latest version fully patched) file <strong>private.php</strong>  
that allows attacker performe an <strong>SQLINJECTION </strong>attack.<!--more--> bug is in result of poor checking 
quotations for user suplied variables.
as this bug is an UPDATE&DELETE query execution on users table, attacker can easily make himself an forum admin also 
other attacks are possible too.
Exploit-
examples provided here:
/mybb/private.php?action=do_folders&folder['<strong>sql</strong>]=nomatter
/mybb/private.php?action=do_folders&folder['<strong>sql</strong>]
/mybb/private.php?action=do_stuff&delete=1&check['<strong>sql</strong>]

also vendor may like to solve a sniffing bug while upgrade:
mybb/private.php?action=do_empty&empty[]=noyes

Solution
upgrade to vendors provided patch1.0.4
Credit
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
www.myimei.com
security.myimei.com

By Date By Thread

Current thread:

[myimei]MyBB 1.0.3~private.php~multiple SqlInjection addmimistrator (Feb 15)