Vulnerabilities > CVE-2005-4200 - SQL Injection vulnerability in MyBB
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0 have unknown impact and attack vectors, a different set of vulnerabilities than those identified by CVE-2005-4199.
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id MYBB_10.NASL description The version of MyBB installed on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 20342 published 2005-12-24 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20342 title MyBB calendar.php 'month' Parameter SQLi code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20342); script_version("1.23"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_cve_id("CVE-2005-4199", "CVE-2005-4200"); script_bugtraq_id(15793); script_name(english:"MyBB calendar.php 'month' Parameter SQLi"); script_summary(english:"Checks for a SQL injection vulnerability."); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a PHP application that is affected by a SQL injection vulnerability."); script_set_attribute(attribute:"description", value: "The version of MyBB installed on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the 'month' parameter of the calendar.php script. A remote, unauthenticated attacker can exploit this issue to manipulate SQL queries, resulting in the disclosure of sensitive information and modification of data. Note that the application is also reportedly affected by several additional SQL injection vulnerabilities, many of which can be exploited even if PHP's 'register_globals' setting is disabled and the 'magic_quotes_gpc' setting is enabled. However, Nessus has not tested for these additional issues."); script_set_attribute(attribute:"see_also", value:"http://www.trapkit.de/advisories/TKADV2005-12-001.txt"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/1236"); script_set_attribute(attribute:"see_also", value:"https://community.mybb.com/showthread.php?tid=5184"); script_set_attribute(attribute:"solution", value:"Upgrade to MyBB 1.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/09"); script_set_attribute(attribute:"patch_publication_date", value:"2005/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mybb:mybb"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("mybb_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP", "installed_sw/MyBB"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MyBB"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port ); dir = install['path']; install_url = build_url(port:port, qs:dir); script = SCRIPT_NAME; # Make sure one of the affected scripts exists. w = http_send_recv3( method : "GET", item : dir + "/calendar.php", port : port, exit_on_fail : TRUE ); res = w[2]; # If it does... if ('<form action="calendar.php" method=' >< res) { postdata = "month=11'" + script + "&" + "day=11&" + "year=2005&" + "subject=NESSUS&" + "description=Plugin+Check&" + "action=do_addevent"; w = http_send_recv3( method : "POST", item : dir + "/calendar.php", port : port, data : postdata, content_type : "application/x-www-form-urlencoded", exit_on_fail : TRUE ); res = w[2]; # There's a problem if we get a syntax error involving our script name. if (egrep(pattern:"an error in your SQL syntax.+ near '"+script, string:res)) { output = strstr(res, "an error in your SQL syntax"); if (empty_or_null(output)) output = res; security_report_v4( port : port, severity : SECURITY_HOLE, generic : TRUE, sqli : TRUE, # Sets SQLInjection KB key request : make_list(http_last_sent_request()), output : chomp(output) ); exit(0); } } audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
NASL family CGI abuses NASL id MYBB_RATING_SQL_INJECTION.NASL description The version of MyBB installed on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 19716 published 2005-09-17 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19716 title MyBB ratethread.php 'rating' Parameter SQLi code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(19716); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_cve_id("CVE-2005-4200"); script_bugtraq_id(14786); script_name(english:"MyBB ratethread.php 'rating' Parameter SQLi"); script_summary(english:"Checks for rating parameter SQL injection vulnerability in MyBB."); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a PHP application that is affected by a SQL injection vulnerability."); script_set_attribute(attribute:"description", value: "The version of MyBB installed on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the 'rating' parameter of the ratethread.php script. A remote attacker can exploit this issue to manipulate SQL queries, resulting in the disclosure of sensitive information and modification of data."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Dec/285"); script_set_attribute(attribute:"solution", value:"Enable PHP's 'magic_quotes_gpc' setting."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mybb:mybb"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("mybb_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP", "installed_sw/MyBB"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MyBB"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port ); dir = install['path']; install_url = build_url(port:port, qs:dir); # First we need a thread id. w = http_send_recv3( method : "GET", item : dir + "/index.php", port : port, exit_on_fail : TRUE ); res = w[2]; pat = '<a href="showthread\\.php\\?tid=([0-9]+)&action=lastpost'; matches = egrep(pattern:pat, string:res); if (matches) { foreach match (split(matches)) { match = chomp(match); thread = eregmatch(pattern:pat, string:match); if (!empty_or_null(thread)) { tid = thread[1]; break; } } } if (empty_or_null(tid)) exit(0, "Unable to find a thread id on the " +app+ " install at " + install_url); # Try to exploit the flaw. # # nb: the advisory uses a POST but the code allows for a GET, # and that's quicker in a plugin. script = SCRIPT_NAME; url = "/ratethread.php?tid=" + tid + "&rating=1'" + script; w = http_send_recv3( method :"GET", item : dir + url, port : port, exit_on_fail : TRUE ); res = w[2]; # There's a problem if we see a syntax error with our script name. if ( egrep( string:res, pattern:"mySQL error: 1064<br>.+near '" +script+ "' .+Query: UPDATE .*threads SET numratings" ) ) { output = strstr(res, "mySQL error: 1064"); if (empty_or_null(output)) output = res; security_report_v4( port : port, severity : SECURITY_HOLE, generic : TRUE, sqli : TRUE, # Sets SQLInjection KB key request : make_list(install_url + url), output : chomp(output) ); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);