MyBB Community Forums

Full Version: Blind SQL Injections
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
I had quite a reputable member, from a forum I won't say (unethical content), tell me that my forum had two SQL vulnerabilities.

His statement was:

Quote:There are 2 blind SQL injections.

One on member and one of post sorting.

My forum is capitalcorporation.co.

I find it hard to believe that there could be vulnerabilities on stock MyBB pages.

Is this true?
(2012-12-18, 04:07 AM)Xeronations Wrote: [ -> ]I find it hard to believe that there could be vulnerabilities on stock MyBB pages.

There most likely are a few we haven't discovered yet. As long as you're running the latest version of MyBB (1.6.9) you should be fine. We aren't aware of any blind SQL injection vulnerabilities within the latest version of MyBB.

I'd advise you ask this person for proof of concept. Chances are it's a member from HF who read a tutorial on SQL injection and now thinks he's knows everything about web security. They wouldn't bother to tell you they found a vulnerability if they won't provide you with proof.
(2012-12-18, 04:16 AM)Nathan Malcolm Wrote: [ -> ]
(2012-12-18, 04:07 AM)Xeronations Wrote: [ -> ]I find it hard to believe that there could be vulnerabilities on stock MyBB pages.

There most likely are a few we haven't discovered yet. As long as you're running the latest version of MyBB (1.6.9) you should be fine. We aren't aware of any blind SQL injection vulnerabilities within the latest version of MyBB.

I'd advise you ask this person for proof of concept. Chances are it's a member from HF who read a tutorial on SQL injection and now thinks he's knows everything about web security. They wouldn't bother to tell you they found a vulnerability if they won't provide you with proof.

Ah, thank you. The member was actually Codevade, who seems quite respectable. But yes, I am running 1.6.9. Thanks for the response.
If you could find vulnerabilities just because someone says "they exist", there wouldn't be any.

Ask him to provide more detail.

Although a blind sql injection is unlikely with MyBB as MyBB likes to be quite verbose about SQL errors, and blind injections are usually only for sites which suppress/hide such errors from the user.

There may be vulnerabilities in MyBB (1.6.9 fixed one that was around, like, forever). There are lots of plugins with vulnerabilities on the mods site, sometimes blatantly obvious ones, but there's only so much you can expect from a simple approval process I guess, and they always seem obvious after someone pointed them out to you...
Have you not read the blog?

all myBB forum owners are now reqired
to upgrade to MyBB V1.6.9.
(2012-12-21, 07:27 PM)Master24 Wrote: [ -> ]Have you not read the blog?

all myBB forum owners are now reqired
to upgrade to MyBB V1.6.9.

The posthash vulnerability has nothing to do with the above concerns.
Check this and see if you have none of those plugins: http://www.exploit-db.com/search/?action...filter_cve=
well what I saw it part of a bug
in V1.6.8. Sad

that why I upgraded.
(2012-12-21, 07:34 PM)Master24 Wrote: [ -> ]well what I saw it part of a bug
in V1.6.8. Sad

that why I upgraded.

There was a vulnerability fixed in 1.6.9, but the vulnerabilities posted in the OP are non existent as far we we know.
(2012-12-21, 07:33 PM)::Leon:: Wrote: [ -> ]Check this and see if you have none of those plugins: http://www.exploit-db.com/search/?action...filter_cve=

I have one. Sad

(2012-12-21, 07:35 PM)Nathan Malcolm Wrote: [ -> ]
(2012-12-21, 07:34 PM)Master24 Wrote: [ -> ]well what I saw it part of a bug
in V1.6.8. Sad

that why I upgraded.

good to hear that. Smile
There was a vulnerability fixed in 1.6.9, but the vulnerabilities posted in the OP are non existent as far we we know.
Pages: 1 2