|
Family: CGI abuses --> Category: attack
MyBB forums Parameter SQL Injection Vulnerability Vulnerability Scan
Vulnerability Scan Summary Checks for forums parameter SQL injection vulnerability in MyBB
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP script that is susceptible to SQL
injection attacks.
Description :
The remote version of MyBB fails to sanitize input to the 'forums'
parameter of the 'search.php' script before using it in database
queries. This may allow an unauthenticated attacker to uncover
sensitive information such as password hashes, modify data, launch
attacks against the underlying database, etc.
See also :
http://www.securityfocus.com/archive/1/426631/30/30/threaded
Solution :
Edit 'search.php' and ensure 'forum' takes on only integer values as
described in the original advisory.
Threat Level:
Medium / CVSS Base Score : 5
(AV:R/AC:L/Au:NR/C:P/A:N/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|