lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 27 Apr 2006 08:01:19 -0000
From: o.y.6@...mail.com
To: bugtraq@...urityfocus.com
Subject: MyBB 1.1.1 Local SQL Injections


MyBB Local SQL Injections ..

	[ This Local Injections Only For Admin ]

* 1 *
[code]
	adminfunctions.php , line 730

$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".$querystring."','".$ipaddress."')");

$querystring = Not Filtered

	Exploit Exm.
    	/admin/adminlogs.php?action=view&D3vil-0x1=[SQL]'

Fix , Replace with

$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".addslashes($querystring)."','".$ipaddress."')");
[/code]

* 2 *
[code]
	templates.php , lines 107 to 114

$newtemplate = array(
	"title" => addslashes($mybb->input['title']),
	"template" => addslashes($mybb->input['template']),
	"sid" => $mybb->input['setid'],
	"version" => $mybboard['vercode'],
	"status" => "",
	"dateline" => time()
);

sid = Not Filtered

	Exploit Exm.
    	/admin/templates.php?action=do_add&title=Devil&template=Div&setid=[SQL]'

Fix Replace with

$newtemplate = array(
		"title" => addslashes($mybb->input['title']),
		"template" => addslashes($mybb->input['template']),
		"sid" => addslashes($mybb->input['setid']),
		"version" => $mybboard['vercode'],
		"status" => "",
		"dateline" => time()
);
[/code]

* 3 *
[code]
	templates.php , line 600

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".$expand."'");

$expand = $mybb->input['expand']; = Not Filtered

	Exploit Exm.
    	/admin/templates.php?expand=' UNION ALL SELECT 1,2/*

Fix Replace With

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".intval($expand)."'");
[/code]

* 4 *
[code]
	templates.php , line 424

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid1']."'");
	$template1 = $db->fetch_array($query);

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid2']."'");

	Exploit Exm.
    	/admin/templates.php?action=diff&title=[SQL]'
        /admin/templates.php?action=diff&sid2=[SQL]'

Fix Replace With

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes($mybb->input['title'])."' AND sid='".intval($mybb->input['sid1'])."'");
	$template1 = $db->fetch_array($query);

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes(($mybb->input['title'])."' AND sid='".intval($mybb->input['sid2'])."'");
[/code]

MyBB Has Many Local Bugs ,, Fix It s00n ;)





Powered by blists - more mailing lists