Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago Amir reported SQL-injection in 1.6.8
#1
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
Hello,

I noticed security vulnerability report in mailing list: http://seclists.org/bugtraq/2012/Jun/29

I tried to verify this without success (usual scenario with Amir). Could someone verify this is not valid issue?
#2
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
This is not a valid issue. warning_level is not a valid action within member.php.
#3
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
Thank you fast response.
#4
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
i have a question.
did anyone reports bugs from mybb a few days ago?
mr fgeek published one of them and i want to publish another one.
im not sure, please check http://packetstormsecurity.org/files/113...ction.html and tell me is this a bug? or not?
#5
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
Again, it's an invalid report. It's a vulnerability within a plugin not within MyBB.
#6
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
What plugin is this bug?

I have a site for a demo http://www.mihanhack.com/forums/member.p...file&uid=9 '

The full explanation is unraveling, ohh Please do harm Dhdyd
#7
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
I believe it's this plugin: http://mybbsource.com/thread-3991.html
#8
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
Are you sure this is really an inconvenience unraveling, ohh?

This is because I http://www.mihanhack.com/forums/member.p...file&uid=9 '

And until now has not been hacked and someone has released a bug that wants to hurt us.

I did not bug me, bug Czech officer may explain the better you get
#9
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
These vulnerabilities do not affect 1.6.8, unless you have those plugins installed.
#10
Solved: 4 Years, 3 Months, 3 Weeks, 1 Day, 21 Hours, 17 Minutes ago
(06-09-2012, 04:56 AM)s3ri0s Wrote: This is because I http://www.mihanhack.com/forums/member.p...file&uid=9 '

If you look at the SQL error that spits out:
Code:
SELECT * FROM mybb_adv_ratings WHERE fuid='9'' AND uid='0'

It should be immediately obvious that mybb_adv_ratings is not a default MyBB table.

I already contacted the author of the Advanced Profile plugin via PM on MyBB source, but seeing as it's not hosted on the mods site we can't take it down. I'm also not sure if the vulnerability is in the latest version of the plugin.


Forum Jump:


Users browsing this thread: 1 Guest(s)