Detections
Analytics
MyBB misc.php Multiple SQL Injection Vulnerabilities
high Nessus Plugin ID 19715
Language:
Synopsis
The remote web server hosts a PHP application that is affected by multiple SQL injection vulnerabilities.Description
The version of MyBB installed on the remote host is affected by multiple SQL injection vulnerabilities due to improper sanitization of user-supplied input to the 'fid' parameter of the 'misc.php' script and the 'Content-Disposition' field in the HTTP header to the newreply.php script. A remote attacker can exploit these issues to manipulate SQL queries, resulting in the disclosure of sensitive information and modification of data.Solution
Enable PHP's 'magic_quotes_gpc' setting.See Also
https://www.securityfocus.com/archive/1/409743/30/0/threaded
Plugin Details
Severity: High
ID: 19715
File Name: mybb_fid_sql_injection2.nasl
Version: 1.25
Type: remote
Family: CGI abuses
Published: 9/17/2005
Updated: 6/5/2024
Configuration: Enable thorough checks
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Medium
Score: 5.5
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: cpe:/a:mybb:mybb
Required KB Items: www/PHP, installed_sw/MyBB
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: No exploit is required
Vulnerability Publication Date: 9/7/2005
Reference Information
CVE: CVE-2005-2888
BID: 14762