MyBB 1.1.1 Local SQL Injections

2006.05.01
Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-89


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Remote
Attack complexity: High
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

MyBB Local SQL Injections .. [ This Local Injections Only For Admin ] * 1 * [code] adminfunctions.php , line 730 $db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['a ction']."','".$querystring."','".$ipaddress."')"); $querystring = Not Filtered Exploit Exm. /admin/adminlogs.php?action=view&D3vil-0x1=[SQL]' Fix , Replace with $db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['a ction']."','".addslashes($querystring)."','".$ipaddress."')"); [/code] * 2 * [code] templates.php , lines 107 to 114 $newtemplate = array( "title" => addslashes($mybb->input['title']), "template" => addslashes($mybb->input['template']), "sid" => $mybb->input['setid'], "version" => $mybboard['vercode'], "status" => "", "dateline" => time() ); sid = Not Filtered Exploit Exm. /admin/templates.php?action=do_add&title=Devil&template=Div&setid=[SQL]' Fix Replace with $newtemplate = array( "title" => addslashes($mybb->input['title']), "template" => addslashes($mybb->input['template']), "sid" => addslashes($mybb->input['setid']), "version" => $mybboard['vercode'], "status" => "", "dateline" => time() ); [/code] * 3 * [code] templates.php , line 600 $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".$expand."'"); $expand = $mybb->input['expand']; = Not Filtered Exploit Exm. /admin/templates.php?expand=' UNION ALL SELECT 1,2/* Fix Replace With $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".intval($expand)."'"); [/code] * 4 * [code] templates.php , line 424 $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid1']."'"); $template1 = $db->fetch_array($query); $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid2']."'"); Exploit Exm. /admin/templates.php?action=diff&title=[SQL]' /admin/templates.php?action=diff&sid2=[SQL]' Fix Replace With $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes($mybb->input['title'])."' AND sid='".intval($mybb->input['sid1'])."'"); $template1 = $db->fetch_array($query); $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes(($mybb->input['title'])."' AND sid='".intval($mybb->input['sid2'])."'"); [/code] MyBB Has Many Local Bugs ,, Fix It s00n ;)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top