MyBB 1.0 SQL injection in uploading file

2006.01.02

Credit: addmimistrator

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2005-4602

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Hey
there is a security bug in inc/function_upload.php script in mybb all version (except two days ago security updated version) that allows SQL INJECTION
this bug is in function of upload attachment .
when a file goes to upload this function test that if file has a valid extension . for this call getextension function and fetch all of characters after last period sign. then make a query and search in valid extensions table and here a file with quoted extension include sql statement will be execute.
this bug reported to mybb offical site and patched as a security patch in internal version 1.0.1 two days ago
be beauty
imei

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MyBB 1.0 SQL injection in uploading file

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.