MyBB

frostschutz · (This post was last modified: 2011-10-12, 10:42 AM by frostschutz.)

This user has been denied support.

This plugin has a SQL injection vulnerability that allows anyone to gain admin permissions.

In signature.php

   $db->query("UPDATE ".TABLE_PREFIX."users SET `afs_type`='{$mybb->input['afs_type']}', [...]

The inputs aren't escaped so anyone can for example change the admin users password.

Original exploit was posted here

http://www.smoothblog.co.uk/2011/10/11/h...injection/

onurcakko · (This post was last modified: 2011-10-13, 07:23 PM by onurcakko.)

turkish utf8 not support :@

007combatant · 2011-10-13, 07:26 PM

yes turkish utf8 not support

this screenshot

coco_moco · 2011-11-10, 09:17 AM

Is there a way to fix the security vulnerability in this plugin?

traiphonuiktvn · 2011-12-24, 02:30 AM

ple help me, vietnamese utf8 not support.

7uyk · 2012-03-16, 09:35 PM

Great plugin Smile

MrAnderson · 2012-03-17, 01:08 AM

UTF8 support there yet ?

MadComp · 2012-07-19, 09:11 PM

(2011-10-12, 10:41 AM)frostschutz Wrote: This plugin has a SQL injection vulnerability that allows anyone to gain admin permissions.

In signature.php
   $db->query("UPDATE ".TABLE_PREFIX."users SET `afs_type`='{$mybb->input['afs_type']}', [...]
The inputs aren't escaped so anyone can for example change the admin users password.

Original exploit was posted here

http://www.smoothblog.co.uk/2011/10/11/h...injection/

Is there a way to fix this yet? I can't use it until this is fixed!

Omar G. · 2012-07-19, 09:27 PM

Open th root file, find:

$db->query("UPDATE ".TABLE_PREFIX."users SET `afs_type`='{$mybb->input['afs_type']}', `afs_background`='{$mybb->input['afs_background']}', `afs_showonline`={$mybb->input['afs_showonline']}, `afs_full_line1`='{$mybb->input['afs_full_line1']}', `afs_full_line2`='{$mybb->input['afs_full_line2']}', `afs_full_line3`='{$mybb->input['afs_full_line3']}', `afs_full_line4`='{$mybb->input['afs_full_line4']}', `afs_full_line5`='{$mybb->input['afs_full_line5']}', `afs_full_line6`='{$mybb->input['afs_full_line6']}', `afs_bar_left`='{$mybb->input['afs_bar_left']}', `afs_bar_center`='{$mybb->input['afs_bar_center']}', `afs_bar_right`='{$mybb->input['afs_bar_right']}' WHERE `uid`='{$mybb->user['uid']}';");

Change for this:

$db->query("UPDATE ".TABLE_PREFIX."users SET `afs_type`='{$db->escape_string($mybb->input['afs_type'])}', `afs_background`='{$db->escape_string($mybb->input['afs_background'])}', `afs_showonline`={$db->escape_string($mybb->input['afs_showonline'])}, `afs_full_line1`='{$db->escape_string($mybb->input['afs_full_line1'])}', `afs_full_line2`='{$db->escape_string($mybb->input['afs_full_line2'])}', `afs_full_line3`='{$db->escape_string($mybb->input['afs_full_line3'])}', `afs_full_line4`='{$db->escape_string($mybb->input['afs_full_line4'])}', `afs_full_line5`='{$db->escape_string($mybb->input['afs_full_line5'])}', `afs_full_line6`='{$db->escape_string($mybb->input['afs_full_line6'])}', `afs_bar_left`='{$db->escape_string($mybb->input['afs_bar_left'])}', `afs_bar_center`='{$db->escape_string($mybb->input['afs_bar_center'])}', `afs_bar_right`='{$db->escape_string($mybb->input['afs_bar_right'])}' WHERE `uid`='{$mybb->user['uid']}';");

MadComp · 2012-07-19, 10:21 PM

Thanks Omar! I'll gladly use this plugin now!

Login
Username:
Password:	Lost Password?
	Remember me