MyBB < 1.6.11 Multiple Vulnerabilities

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server hosts a PHP application that is affected by
multiple vulnerabilities.

Description :

According to its version number, the MyBB install running on the
remote web server is affected by multiple vulnerabilities :

- A flaw exists in which accounts without login keys can
be hijacked. (OSVDB 98315)

- An information disclosure vulnerability exists due to
improper implementation of UTF8. A remote attacker can
exploit this to bypass authorization checks on viewing
private messages. (OSVDB 98316)

- An information disclosure vulnerability exists due to
log files exposing database backup information.
(OSVDB 98317)

- An information disclosure vulnerability exists due to
anonymous statistics not always being set as anonymous.
(OSVDB 98318)

- An unspecified flaw exists in the generate_post_check()
that allows an attacker to have an unspecified impact.
(OSVDB 98319)

Note that Nessus has not tested for these issues but has instead
relied on the application's self-reported version number.

See also :

Solution :

Upgrade to version 1.6.11 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : false

Family: CGI abuses

Nessus Plugin ID: 72686 ()

Bugtraq ID: 62933