MyBB < 1.1.1 Multiple Script Variable Overwrite

high Nessus Network Monitor Plugin ID 3519

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

The remote version of MyBB does not properly initialize global variables in the 'global.php' and 'inc/init.php' scripts. An unauthenticated attacker can leverage this issue to overwrite global variables through GET and POST requests and launch other attacks against the affected application.

Solution

Upgrade to verison 1.1.1 or higher.

See Also

http://www.securityfocus.com/archive/1/431061/30/0/threaded

http://community.mybboard.net/showthread.php?tid=8232

Plugin Details

Severity: High

ID: 3519

Family: CGI

Published: 8/18/2004

Updated: 3/6/2019

Nessus ID: 21239

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mybulletinboard:mybulletinboard

Reference Information

CVE: CVE-2006-1912

BID: 17564, 17872