MyBB 1.6 <= SQL Injection Vulnerability

2010-12-28T00:00:00
ID SECURITYVULNS:DOC:25399
Type securityvulns
Reporter Securityvulns
Modified 2010-12-28T00:00:00

Description

================================= MyBB 1.6 <= SQL Injection Vulnerability =================================

  1. OVERVIEW

Potential SQL Injection vulnerability was detected in MyBB.

  1. APPLICATION DESCRIPTION

MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications.

  1. VULNERABILITY DESCRIPTION

The "keywords" parameter was not properly sanitized in /private.php and /search.php which leads to SQL Injection vulnerability. Full exploitation possibility is probably mitigated by clean_keywords and clean_keywords_ft functions in inc/functions_search.php.

  1. VERSIONS AFFECTED

MyBB 1.6 and lower

  1. PROOF-OF-CONCEPT/EXPLOIT

=> /search.php

POST /mybb/search.php

action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1

=> /private.php

POST /mybb/private.php

my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff

  1. SOLUTION

Upgrade to 1.6.1

  1. VENDOR

MyBB Development Team http://www.mybb.com/

  1. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.

  1. DISCLOSURE TIME-LINE

2010-12-09: notified vendor 2010-12-15: vendor released fixed version 2010-12-24: vulnerability disclosed

  1. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection About MyBB: http://www.mybb.com/about/mybb

yehg [2010-12-24]


Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd