MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Possible MyBB SQL injection Vuln
Full Version: Possible MyBB SQL injection Vuln
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Xinapse

2010-10-31, 07:11 PM
The mysql database has been hacked on my site the last few days, although because of a protected admin panel they havent got CP access, although my password keeps getting changed, also somebody posted on my forum saying there was a mybb sql injection vuln about and he said it went something like this...

showthread.php?tid=1550/**/and/**/ascii(substring((select/**/schema_name/**/from/**/information_schema.schemata/**/limit/**/[row],1),[+],1))=[char]--

If this could be investigated further that would be great

Matt

2010-10-31, 07:14 PM
This is rubbish. As I explained to somebody else who bought this up, tid is intval'd, it will strip off all that stuff after the actual id. It's not a vulnerability at all.

Also, for future reference, posting something you think might be a vulnerability in public is not exactly a very good idea.

If your MySQL database is being hacked, get your host to help you track down the cause. There's a good chance it's nothing to do with us at all.

Sajuuk

2010-10-31, 07:16 PM
This is also completely false and doesn't even work. Stop reporting it.

Matt

2010-10-31, 07:17 PM
Click this link:

http://community.mybb.com/showthread.php...)=[char]--

That's the URL of this thread with all that other stuff at the end; nothing's happened. tid is intavl'd.

Xinapse

2010-10-31, 07:18 PM
(2010-10-31, 07:16 PM)Kyuubi Wrote: [ -> ]This is also completely false and doesn't even work. Stop reporting it.

First time i reported it.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Possible MyBB SQL injection Vuln