MyBB - Multiple Cross-Site Scripting and SQL Injection Vulnerabilities

ID EDB-ID:25779
Type exploitdb
Reporter Alberto Trivero
Modified 2005-05-31T00:00:00


MyBB Multiple Cross-Site Scripting and SQL Injection Vulnerabilities. Webapps exploit for php platform


MyBB is prone to multiple cross-site scripting and SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

The application is prone to multiple SQL injection vulnerabilities. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

The application is also prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.'%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users/*[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query]'[sql_query][0]=%3Cscript%3Ealert(document.cookie)%3C/script%3E[0]=0&version=%3Cscript%3Ealert(document.cookie)%3C/script%3E