oss-sec mailing list archives

Re: CVE request: mybb < 1.4.1

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 9 Sep 2008 10:37:18 -0400 (EDT)


On Tue, 9 Sep 2008, Hanno [utf-8] B??ck wrote:

http://community.mybboard.net/showthread.php?tid=36022

Hmm, they mention vulns, but they don't give any info about...


That post links to a patch file that gives a lot of clues:

http://community.mybboard.net/attachment.php?aid=10579

Looks like:


CVE-2008-3965
-------------
misc.php - SQL injection


CVE-2008-3966
-------------
usercp2.php, inc/functions_online.php,  moderation.php - XSS


CVE-2008-3967
-------------
moderation.php also has some privilege/permission checking (see
"is_moderator_by_tids")


These will be filled in later.

- Steve

Current thread:

CVE request: mybb < 1.4.1 Hanno Böck (Sep 09)
- Re: CVE request: mybb < 1.4.1 Steven M. Christey (Sep 09)