Vulnerabilities > CVE-2005-4200 - SQL Injection vulnerability in MyBB

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
mybulletinboard
critical
nessus

Summary

Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0 have unknown impact and attack vectors, a different set of vulnerabilities than those identified by CVE-2005-4199.

Nessus

  • NASL familyCGI abuses
    NASL idMYBB_10.NASL
    descriptionThe version of MyBB installed on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id20342
    published2005-12-24
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20342
    titleMyBB calendar.php 'month' Parameter SQLi
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20342);
      script_version("1.23");
      script_cvs_date("Date: 2018/11/15 20:50:18");
    
      script_cve_id("CVE-2005-4199", "CVE-2005-4200");
      script_bugtraq_id(15793);
    
      script_name(english:"MyBB calendar.php 'month' Parameter SQLi");
      script_summary(english:"Checks for a SQL injection vulnerability.");
     
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server hosts a PHP application that is affected by
    a SQL injection vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of MyBB installed on the remote host is affected by a SQL
    injection vulnerability due to improper sanitization of user-supplied
    input to the 'month' parameter of the calendar.php script. A remote,
    unauthenticated attacker can exploit this issue to manipulate SQL
    queries, resulting in the disclosure of sensitive information and
    modification of data.
    
    Note that the application is also reportedly affected by several
    additional SQL injection vulnerabilities, many of which can be
    exploited even if PHP's 'register_globals' setting is disabled and the
    'magic_quotes_gpc' setting is enabled. However, Nessus has not tested
    for these additional issues.");
      script_set_attribute(attribute:"see_also", value:"http://www.trapkit.de/advisories/TKADV2005-12-001.txt");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/1236");
      script_set_attribute(attribute:"see_also", value:"https://community.mybb.com/showthread.php?tid=5184");
      script_set_attribute(attribute:"solution", value:"Upgrade to MyBB 1.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/12/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/24");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mybb:mybb");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
    
      script_dependencies("mybb_detect.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP", "installed_sw/MyBB");
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    app = "MyBB";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    port = get_http_port(default:80, php:TRUE);
    
    install = get_single_install(
      app_name : app,
      port     : port
    );
    
    dir = install['path'];
    install_url = build_url(port:port, qs:dir);
    script = SCRIPT_NAME;
    
    # Make sure one of the affected scripts exists.
    w = http_send_recv3(
      method : "GET",
      item   : dir + "/calendar.php",
      port   : port,
      exit_on_fail : TRUE
    );
    res = w[2];
    
    # If it does...
    if ('<form action="calendar.php" method=' >< res)
    {
      postdata =
        "month=11'" + script + "&" +
        "day=11&" +
        "year=2005&" +
        "subject=NESSUS&" +
        "description=Plugin+Check&" +
        "action=do_addevent";
    
      w = http_send_recv3(
        method : "POST",
        item   : dir + "/calendar.php",
        port   : port,
        data   : postdata,
        content_type : "application/x-www-form-urlencoded",
        exit_on_fail : TRUE
      );
      res = w[2];
    
      # There's a problem if we get a syntax error involving our script name.
      if (egrep(pattern:"an error in your SQL syntax.+ near '"+script, string:res))
      {
        output = strstr(res, "an error in your SQL syntax");
        if (empty_or_null(output)) output = res;
    
        security_report_v4(
          port       : port,
          severity   : SECURITY_HOLE,
          generic    : TRUE,
          sqli       : TRUE,  # Sets SQLInjection KB key
          request    : make_list(http_last_sent_request()),
          output     : chomp(output)
        );
        exit(0);
      }
    }
    audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
    
  • NASL familyCGI abuses
    NASL idMYBB_RATING_SQL_INJECTION.NASL
    descriptionThe version of MyBB installed on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id19716
    published2005-09-17
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19716
    titleMyBB ratethread.php 'rating' Parameter SQLi
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19716);
      script_version("1.25");
      script_cvs_date("Date: 2018/11/15 20:50:18");
    
      script_cve_id("CVE-2005-4200");
      script_bugtraq_id(14786);
    
      script_name(english:"MyBB ratethread.php 'rating' Parameter SQLi");
      script_summary(english:"Checks for rating parameter SQL injection vulnerability in MyBB.");
     
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server hosts a PHP application that is affected by a
    SQL injection vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of MyBB installed on the remote host is affected by a SQL
    injection vulnerability due to improper sanitization of user-supplied
    input to the 'rating' parameter of the ratethread.php script. A remote
    attacker can exploit this issue to manipulate SQL queries, resulting
    in the disclosure of sensitive information and modification of data.");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Dec/285");
      script_set_attribute(attribute:"solution", value:"Enable PHP's 'magic_quotes_gpc' setting.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/17");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mybb:mybb");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
    
      script_dependencies("mybb_detect.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP", "installed_sw/MyBB");
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    app = "MyBB";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    port = get_http_port(default:80, php:TRUE);
    
    install = get_single_install(
      app_name : app,
      port     : port
    );
    
    dir = install['path'];
    install_url = build_url(port:port, qs:dir);
    
    # First we need a thread id.
    w = http_send_recv3(
      method : "GET",
      item   : dir + "/index.php",
      port   : port,
      exit_on_fail : TRUE
    );
    res = w[2];
    
    pat = '<a href="showthread\\.php\\?tid=([0-9]+)&amp;action=lastpost';
    matches = egrep(pattern:pat, string:res);
    if (matches)
    {
      foreach match (split(matches))
      {
        match = chomp(match);
        thread = eregmatch(pattern:pat, string:match);
        if (!empty_or_null(thread))
        {
          tid = thread[1];
          break;
        }
      }
    }
    if (empty_or_null(tid)) exit(0, "Unable to find a thread id on the " +app+ " install at " + install_url);
    
    # Try to exploit the flaw.
    #
    # nb: the advisory uses a POST but the code allows for a GET,
    #     and that's quicker in a plugin.
    script = SCRIPT_NAME;
    
    url = "/ratethread.php?tid=" + tid + "&rating=1'" + script;
    w = http_send_recv3(
      method :"GET",
      item   : dir + url,
      port   : port,
      exit_on_fail : TRUE
    );
    res = w[2];
    
    # There's a problem if we see a syntax error with our script name.
    if (
      egrep(
        string:res,
        pattern:"mySQL error: 1064<br>.+near '" +script+ "' .+Query: UPDATE .*threads SET numratings"
      )
    )
    {
      output = strstr(res, "mySQL error: 1064");
      if (empty_or_null(output)) output = res;
    
      security_report_v4(
        port       : port,
        severity   : SECURITY_HOLE,
        generic    : TRUE,
        sqli       : TRUE,  # Sets SQLInjection KB key
        request    : make_list(install_url + url),
        output     : chomp(output)
      );
      exit(0);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);