| VID |
21879 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The MyBB program is vulnerable to SQL injection attacks by a global variable overwrite vulnerability. MyBB (formerly MyBulletinBoard) is a freely available forum package developed in PHP and MYSQL. MyBB version 1.1 could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input passed to global variables in the global.php and inc/init.php scripts. These vulnerabilities could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://community.mybboard.net/showthread.php?tid=8232
http://www.securityfocus.com/archive/1/431061/30/0/threaded
http://secunia.com/advisories/19668/
* Platforms Affected:
MyBB Group, MyBB version 1.1
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of MyBB (1.1.1 or later), available from the MyBB Download Web site at http://www.mybboard.com/downloads.php |
| Related URL |
CVE-2006-1912 (CVE) |
| Related URL |
17564 (SecurityFocus) |
| Related URL |
25865 (ISS) |
|
