MyBB 1.1.1 Email Verification in User Activation SQL Injection Attack

2006.05.13

Credit: addmimistrator gmail com

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2006-2333

CWE: CWE-89

CVSS Base Score: 6.4/10

Impact Subscore: 4.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: None

ORIGINAL ADVISORY:
http://myimei.com/security/2006-05-07/mybb111email-verification-in-user-
activation-sql-injection-attack.html
??????-Summary?????-
Software: MyBB
Sowtware?s Web Site: http://www.mybboard.com
Versions: 1.1.1
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: medume-High
??????Description?????
There is a security bug in MyBB 1.1.1 software (latest version fully patched) that allows attacker performe a SQL Injection attack.
bug is in result of weak regullar expression for cheknig email and also forgotting to addslash a value that entered in db and now fetch and reinsert it.
MORE DETAILES IN ORIGINAL ADVISORY;)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MyBB 1.1.1 Email Verification in User Activation SQL Injection Attack

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.