Vulnerabilities > CVE-2006-1912 - Cross-Site Scripting vulnerability in Mybulletinboard 1.10

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
mybulletinboard
nessus
exploit available
NVD
Published: 2006-04-20
Updated: 2018-10-18

Summary

MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site scripting (XSS) or SQL injection attacks. Upgrade to MyBB 1.1.1

Vulnerable Configurations

Part Description Count
Application
Mybulletinboard
1

Exploit-Db

descriptionMyBB 1.1 Global Variable Overwrite Vulnerability. CVE-2006-1912. Webapps exploit for php platform
idEDB-ID:27667
last seen2016-02-03
modified2006-04-17
published2006-04-17
reporterimei
sourcehttps://www.exploit-db.com/download/27667/
titleMyBB 1.1 Global Variable Overwrite Vulnerability

Nessus

NASL familyCGI abuses
NASL idMYBB_GLOBAL_VARS_OVERWRITE.NASL
descriptionThe version of MyBB installed on the remote host is affected by a global variable overwrite vulnerability due to a failure to properly initialize global variables in the global.php script. A remote, unauthenticated attacker can exploit this issue to overwrite global variables to launch a SQL injection attack against the application, as well as other attacks using GET or POST HTTP requests.
last seen2020-06-01
modified2020-06-02
plugin id21239
published2006-04-17
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/21239
titleMyBB global.php 'KILL_GLOBAL' Overwrite SQL Injection

References