Hello,
I noticed security vulnerability report in mailing list:
http://seclists.org/bugtraq/2012/Jun/29
I tried to verify this without success (usual scenario with Amir). Could someone verify this is not valid issue?
This is not a valid issue. warning_level is not a valid action within member.php.
Again, it's an invalid report. It's a vulnerability within a plugin not within MyBB.
Are you sure this is really an inconvenience unraveling, ohh?
This is because I
http://www.mihanhack.com/forums/member.p...file&uid=9 '
And until now has not been hacked and someone has released a bug that wants to hurt us.
I did not bug me, bug Czech officer may explain the better you get
These vulnerabilities do not affect 1.6.8, unless you have those plugins installed.
(2012-06-09, 04:56 AM)s3ri0s Wrote: [ -> ]This is because I http://www.mihanhack.com/forums/member.p...file&uid=9 '
If you look at the SQL error that spits out:
SELECT * FROM mybb_adv_ratings WHERE fuid='9'' AND uid='0'
It should be immediately obvious that mybb_adv_ratings is not a default MyBB table.
I already contacted the author of the Advanced Profile plugin via PM on MyBB source, but seeing as it's not hosted on the mods site we can't take it down. I'm also not sure if the vulnerability is in the latest version of the plugin.