——————-Summary—————-
Software: MyBB
Sowtware’s Web Site: http://www.mybboard.com
Versions: 1.1.0
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: Very high
—————–Description—————
There is a security bug in MyBB 1.1.0 software files global.php that allows attacker performe varable extracting.
bug is in result of forgetting to set a constant “KILL_GLOBAL” to 1 that results to Extracting web parameters (POST & GET) into varables.
in result of this bug, many type of attacks can be perform. XSS Or SQL injection or etc.
————–See Also——————-
{inc/init.php}21
if(!defined(”KILL_GLOBALS”))
{
@extract($_POST, EXTR_OVERWRITE);
@extract($_GET, EXTR_OVERWRITE);
}
{also above of usercp2 and newthread files there are not this section:}
define(”KILL_GLOBALS”, 1);
————–Exploit———————-
some examples:
1-/mybb/global.php?_SERVER[HTTP_CLIENT_IP]=’sql
————–Solution———————
To Vendor. add a non-Direct-Call on top of global.php files. But I cant find reason of extracting variables from web , specially when you try to patch RegisterGlobalsOn problem manually.:-s:-?
————-–ACKs———————–
Roozbeh Afrasiabi, It is a little sign of my friendship.
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
http://www.myimei.com
http://myimei.com/security
3 Responses to “MyBB1.1.0~global.php~ParameterExtracting”
Something to say?
You must be logged in to post a comment.
confirm of vendor
http://community.mybboard.net/showthread.php?tid=8232
Left by imei on April 15th, 2006
http://secunia.com/advisories/19668/
Left by imei on April 18th, 2006
bu site herkese yeter
Left by forumcular on May 3rd, 2006