CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
85.3%
The version of MyBB installed on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the ‘CLIENT-IP’ request header before using it in a database query when initiating a session in the inc/class_session.php script. A remote attacker can exploit this issue to manipulate SQL queries, resulting in the disclosure of sensitive information and modification of data.
Note that successful exploitation is possible regardless of PHP’s settings.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(22055);
script_version("1.23");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id("CVE-2006-3775");
script_bugtraq_id(18997);
script_xref(name:"EDB-ID", value:"3653");
script_name(english:"MyBB HTTP Header 'CLIENT-IP' Field SQLi");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP application that is affected by
a SQL injection vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of MyBB installed on the remote host is affected by a SQL
injection vulnerability due to improper sanitization of user-supplied
input to the 'CLIENT-IP' request header before using it in a database
query when initiating a session in the inc/class_session.php script. A
remote attacker can exploit this issue to manipulate SQL queries,
resulting in the disclosure of sensitive information and modification
of data.
Note that successful exploitation is possible regardless of PHP's
settings.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Jul/252");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/440163/30/0/threaded");
script_set_attribute(attribute:"see_also", value:"https://community.mybb.com/showthread.php?tid=10555");
script_set_attribute(attribute:"solution", value:
"Upgrade to MyBB version 1.1.6 or later");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/15");
script_set_attribute(attribute:"patch_publication_date", value:"2006/07/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/17");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mybb:mybb");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2024 Tenable Network Security, Inc.");
script_dependencies("mybb_detect.nasl");
script_require_keys("www/PHP", "installed_sw/MyBB");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "MyBB";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
# Try to exploit the flaw to generate a SQL syntax error.
magic = "'" + SCRIPT_NAME + "--";
w = http_send_recv3(
method : "GET",
item : dir + "/",
port : port,
add_headers : make_array("CLIENT-IP", magic),
exit_on_fail : TRUE
);
res = w[2];
# There's a problem if we see a syntax error with our script name.
if (
"SQL error: 1064" >< res &&
"near " + magic + "'' at line" >< res &&
(
"SELECT sid,uid" >< res ||
"WHERE ip='" >< res
)
)
{
output = strstr(res, "SQL error: 1064");
if (empty_or_null(output)) output = res;
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
sqli : TRUE, # Sets SQLInjection KB key
request : make_list(http_last_sent_request()),
output : chomp(output)
);
exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);