Vulnerabilities > CVE-2005-2580 - SQL Injection vulnerability in Mybulletinboard 1.00Rc4Securitypatch

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
mybulletinboard
nessus
exploit available
NVD
Published: 2005-08-16
Updated: 2016-10-18

Summary

Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 with Security Patch allow remote attackers to execute arbitrary SQL commands via the Username field in (1) index.php or (2) member.php, action parameter to (3) search.php or (4) member.php, or (5) polloptions parameter to polls.php.

Vulnerable Configurations

Part Description Count
Application
Mybulletinboard
1

Exploit-Db

  • descriptionMyBulletinBoard RC4 search.php action Parameter SQL Injection. CVE-2005-2580 . Webapps exploit for php platform
    idEDB-ID:26150
    last seen2016-02-03
    modified2005-08-12
    published2005-08-12
    reporterphuket
    sourcehttps://www.exploit-db.com/download/26150/
    titleMyBulletinBoard RC4 - search.php action Parameter SQL Injection
  • descriptionMyBulletinBoard RC4 polls.php polloptions Parameter SQL Injection. CVE-2005-2580 . Webapps exploit for php platform
    idEDB-ID:26149
    last seen2016-02-03
    modified2005-08-12
    published2005-08-12
    reporterphuket
    sourcehttps://www.exploit-db.com/download/26149/
    titleMyBulletinBoard RC4 polls.php polloptions Parameter SQL Injection
  • descriptionMyBulletinBoard RC4 index.php Username Parameter SQL Injection. CVE-2005-2580. Webapps exploit for php platform
    idEDB-ID:26147
    last seen2016-02-03
    modified2005-08-12
    published2005-08-12
    reporterphuket
    sourcehttps://www.exploit-db.com/download/26147/
    titleMyBulletinBoard RC4 index.php Username Parameter SQL Injection
  • descriptionMyBulletinBoard RC4 member.php Multiple Parameter SQL Injection. CVE-2005-2580. Webapps exploit for php platform
    idEDB-ID:26148
    last seen2016-02-03
    modified2005-08-12
    published2005-08-12
    reporterphuket
    sourcehttps://www.exploit-db.com/download/26148/
    titleMyBulletinBoard RC4 member.php Multiple Parameter SQL Injection

Nessus

NASL familyCGI abuses
NASL idMYBB_FID_SQL_INJECTION.NASL
descriptionThe version of MyBB installed on the remote host is affected by multiple SQL injection vulnerabilities : - Multiple SQL injection vulnerabilities exist due to improper sanitization of user-supplied input passed via the
last seen2020-06-01
modified2020-06-02
plugin id19525
published2005-08-30
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19525
titleMyBB <= 1.00 RC4 Multiple SQL Injection Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(19525);
  script_version ("1.26");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2005-2580", "CVE-2005-2697", "CVE-2005-2778");
  script_bugtraq_id(14553, 14615, 14684);

  script_name(english:"MyBB <= 1.00 RC4 Multiple SQL Injection Vulnerabilities");
  script_summary(english:"Checks for multiple SQL injections in MyBB.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP application that is affected by
multiple SQL injection vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of MyBB installed on the remote host is affected by
multiple SQL injection vulnerabilities :
   

  - Multiple SQL injection vulnerabilities exist due to
    improper sanitization of user-supplied input passed via
    the 'Username' field, the 'action' parameter, and the
    'polloptions' parameter. A remote attacker can exploit
    this issue to manipulate SQL queries, resulting in the
    disclosure of sensitive information and modification of
    data. (CVE-2005-2580)

  - A SQL injection vulnerabilities exists due to improper
    sanitization of user-supplied input passed via the 'uid'
    parameter. A remote attacker can exploit this issue to
    manipulate SQL queries, resulting in the disclosure of
    sensitive information and modification of data.
    (CVE-2005-2697)

  - A SQL injection vulnerabilities exists due to improper
    sanitization of user-supplied input passed via the 'fid'
    parameter in the member.php script. A remote attacker
    can exploit this issue to manipulate SQL queries,
    resulting in the disclosure of sensitive information and
    modification of data. (CVE-2005-2778)

Note that the application is reportedly affected by several additional
SQL injection vulnerabilities. However, Nessus has not
tested for the additional vulnerabilities.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/407960");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/408624");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/409523");
  script_set_attribute(attribute:"see_also", value:"https://community.mybb.com/showthread.php?tid=3350");
  script_set_attribute(attribute:"solution", value:
"Apply the patch referenced in the vendor advisory. Alternatively,
enable PHP's 'magic_quotes_gpc' setting.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2005/08/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mybb:mybb");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencie("mybb_detect.nasl");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP", "installed_sw/MyBB");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "MyBB";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);
script = SCRIPT_NAME;

exploits = make_list(
  "/polls.php?action=newpoll&tid=1&polloptions='" + script,
  "/search.php?action='" + script,
  "/search.php?action=finduser&uid=-1'" + script,
  "/member.php?action=profile&uid=lastposter&fid=-1'" + script
);

# Try to exploit the flaws.
foreach exploit (exploits)
{
  w = http_send_recv3(
    method : "GET",
    item   : dir + exploit,
    port   : port,
    exit_on_fail : TRUE
  );
  res = w[2];

  # There's a problem if we see a syntax error with our script name.
  if (
    egrep(
      string:res,
      pattern:"mySQL error: 1064<br>.+near '" +script+ "', ip=.+Query: UPDATE .*online SET uid="
    )
  )
  {
    output = strstr(res, "mySQL error: 1064");
    if (empty_or_null(output)) output = res;

    security_report_v4(
     port       : port,
      severity   : SECURITY_HOLE,
      generic    : TRUE,
      sqli       : TRUE,  # Sets SQLInjection KB key
      request    : make_list(http_last_sent_request()),
      output     : chomp(output)
    );
    exit(0);
  }
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);

References