kapda-50.txt

🗓️ 02 Jul 2006 00:00:00Reported by imei addmimistratorType

packetstorm🔗 packetstormsecurity.com👁 30 Views

MyBB 1.1.4 Multiple Vulnerabilities including SQL Injection & XSS, Patched, Risk: Mediu

`[KAPDA::#50]MyBB 1.1.4 Multiple Vuln  
  
SQL_Injection & XSS  
  
-------  
  
KAPDA New Advisory .  
http://www.kapda.ir/advisory-349.html  
  
ORIGINAL ADVISORY:  
http://myimei.com/security/2006-06-24/mybb...verwriting.html  
http://myimei.com/security/2006-06-22/mybb...in-url-tag.html  
  
-Summary-  
Software: MyBB  
Sowtwares Web Site: http://www.mybboard.com  
Versions: 1.1.3 And 1.1.4  
Class: Remote  
Status: Patched  
Exploit: Available  
Discovered by: imei addmimistrator  
Risk Level: Medium  
Description  
Variable-overwriting :  
There is a security bug in MyBB 1.1.4 software (latest version fully patched) that allows attacker initualize arbitary varables with arbitary values and perform many attck kinds same SQLINJECTION attack.  
  
bug is in result of Extracting values. In fact forgetting to define KILL_GLOBALS constant in /archive/index.php file is reason of this weakness. cause of this flew, an attacker can insert his varables and overwrite his values.  
XSS :  
Mybb has a security bug that allows hackers run unwanted scripts into clients browser that well known as XSS Cross_Site_Scripting attack.  
bug is in result of poor cheknig for unicode inputs in url, that results to executing javascript direct call in some common beowser, as IE, FF and etc this is cause of this fact that browsers pay attention to unicode data but mybb dont.  
See Also  
Variable-overwriting :  
{inc/init.php}near 28  
if(!defined(KILL_GLOBALS))  
{  
@extract($_POST, EXTR_OVERWRITE);  
@extract($_GET, EXTR_OVERWRITE);  
}  
XSS:  
{inc/functions_post.php}near 138  
function fixjavascript($message)  
{  
$message = preg_replace(#javascript:#i, java script:, $message);  
/* .. */  
  
{alos near 19}  
$message = preg_replace(#&(?!\#[0-9]+;)#si, &, $message); // fix & but allow unicode.  
Exploit-  
Variable-overwriting : mybb/archive/index.php?_SERVER[HTTP_CLIENT_IP]=sql  
XSS :  
post this message:  
[url]javascript:alert(imei is Here);//://ddd[/url]  
Solution  
upgrade to vendors provided patch  
Credit  
Discovered by: imei addmimistrator  
addmimistrator(4}gmail(O}com  
imei(4}Kapda(O}IR  
www.myimei.com  
myimei.com/security  
www.kapda.ir/advisory-349.html  
  
`

02 Jul 2006 00:00Current

7.4High risk

Vulners AI Score7.4