The advisory says: >Status: patched in 1.0.3 ... >?????Solution??????? >No Patch available. >(bug reported to vendor today)
I'm confused. One part of this advisory says there's a patch available, one part says there isn't. (By the way, this is an example of the "inconsistent" property of security advisories, in which most advisories are either incomplete, inaccurate, inconsistent, or incomprehensible, i.e. the Four I's principle) It does not appear to be fixed, or at least the MyBB community forums do not say anything. For those keeping track at home, this is a different attack vector than the sortby/sortorder (sorder) vectors identified by CVE-2006-0470, which also happened to affect search.php in MyBB 1.0.2, and appear to have been fixed by the vendor along with some other issues if you review the manual patch [1]. - Steve [1] http://community.mybboard.net/showthread.php?tid=6418
