-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Advisory:Multiple SQL Injection vulnerabilities in MyBB
Name:TKADV2005-12-001
Revision:1.0
Release Date:2005/12/23
Last Modified: 2005/12/23
Date Reported: 2005/11/07
Author: Tobias Klein (tk at trapkit.de)
Affected Software: MyBB (all versions = MyBB PR2 Rev.686)
Risk:Critical (x) High ( ) Medium ( ) Low ( )
Vendor URL: http://www.mybboard.com/
Vendor Status: Vendor has released an updated version
=
Overview:
=
MyBB is a powerful, efficient and free forum package developed in
PHP and MySQL.
Version MyBB PR2 Rev.686 and prior contain multiple SQL Injection
vulnerabilities.
==
Vulnerability details:
==
Some of the following vulnerabilities can be successfully exploited
by every anonymous guest user of MyBB. To exploit the other issues
a registered user account is needed. Because of that all
vulnerabilities are rated with a high probability of occurrence.
Every single SQL injection issue that is described in the following
allows a full compromise of a MyBB installation (f.e. steal or
[re]set the administrator password). PoC code has been developed
but won't be released to the public.
For a description of the calculation of the resulting threat of a
vulnerability see reference [3].
[1] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any anonymous
guest user of MyBB.
Vulnerable URL:
[path_to_mybb]/calendar.php?action=addevent
Vulnerable POST parameter: month
Proof of Concept (POST request):
POST [path_to_mybb]/calendar.php HTTP/1.1
Parameter | Value
month | 11[SQL]
day | 11
year| 2005
subject | test
description | test
action | do_addevent
[2] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any anonymous
guest user of MyBB.
Vulnerable URL:
[path_to_mybb]/calendar.php?action=addevent
Vulnerable POST parameter: day
Proof of Concept (POST request):
POST [path_to_mybb]/calendar.php HTTP/1.1
Parameter | Value
month | 11
day | 11[SQL]
year| 2005
subject | test
description | test
action | do_addevent
[3] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any anonymous
guest user of MyBB.
Vulnerable URL:
[path_to_mybb]/calendar.php?action=addevent
Vulnerable POST parameter: year
Proof of Concept (POST request):
POST [path_to_mybb]/calendar.php HTTP/1.1
Parameter | Value
month | 11
day | 11
year| 2005[SQL]
subject | test
description | test
action | do_addevent
[4] SQL Injection
Possible damage: Critical
Probability of occurrence: High
Resulting threat: Critical
HTTP method: POST
Vulnerability description:
MyBB is prone to a SQL injection vulnerability. This issue is due
to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result