Detections
Analytics
MyBB search.php 'forums' Parameter SQLi
medium Nessus Plugin ID 21052
Language:
Synopsis
The remote web server hosts a PHP application that is affected by a SQL injection vulnerability.Description
The version of MyBB running on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the 'forums' parameter of the search.php script. A remote attacker can exploit this issue to manipulate SQL queries, resulting in the disclosure of sensitive information and modification of data.Solution
Edit search.php and ensure 'forum' takes on only integer values as described in the vendor advisory.See Also
https://www.securityfocus.com/archive/1/426631/30/30/threaded
Plugin Details
Severity: Medium
ID: 21052
File Name: mybb_forums_sql_injection.nasl
Version: 1.24
Type: remote
Family: CGI abuses
Published: 3/13/2006
Updated: 6/5/2024
Configuration: Enable thorough checks
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
Vulnerability Information
CPE: cpe:/a:mybb:mybb
Required KB Items: www/PHP, installed_sw/MyBB
Excluded KB Items: Settings/disable_cgi_scanning
Vulnerability Publication Date: 3/2/2006
Reference Information
CVE: CVE-2006-1065