Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[Full-disclosure] Critical SQL Injection PHPNuke <= 7.8 - Your_Account module

[SA18874] @Mail Webmail Image Tag Script Insertion Vulnerability

[SA18873] Clever Copy Private Message "Subject" Script Insertion Vulnerability

[SA18876] Teca Diary Personal Edition SQL Injection Vulnerability

From:	imei <addmimistrator_(at)_gmail.com>
Date:	16.02.2006
Subject:	[myimei]MyBB 1.0.3~private.php~multiple SqlInjection

\>>>>>>>>ORIGINAL ADVISORY<<<<<<<<<<</
http://myimei.com/security/2006-02-11/mybb-103privatephpmultiple-sqlinjection.htm
l

Vendor Credit:http://community.mybboard.net/showthread.php?tid=6777

——————-Summary—————-
Software: MyBB
Sowtware’s Web Site: http://www.mybboard.com
Versions: 1.0.3
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: <strong>imei addmimistrator</strong>
Risk Level: <strong>high</strong>
—————–Description—————
There is some security bug in MyBB 1.0.3 software (latest version fully patched) file
<strong>private.php</strong>  that allows attacker performe an <strong>SQLINJECTION
</strong>attack.<!--more--> bug is in result of poor checking quotations for user suplied variables.
as this bug is an UPDATE&DELETE query execution on users table, attacker can easily make himself an forum
admin also other attacks are possible too.
————–Exploit———————-
examples provided here:
/mybb/private.
php?action=do_folders&folder['<strong>sql</strong>]=nomatter

/mybb/private.
php?action=do_folders&folder['<strong>sql</strong>]
/mybb/private.
php?action=do_stuff&delete=1&check['<strong>sql</strong>]


also vendor may like to solve a sniffing bug while upgrade:
mybb/private.php?action=do_empty&empty[]=noyes

————–Solution———————
upgrade to vendors provided patch1.0.4
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
www.myimei.com
security.myimei.com