FreeBSD : mybb -- multiple vulnerabilities (beb6f4a8-add5-11de-8b55-0030843d3802)

This script is Copyright (C) 2009-2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

mybb team reports :

Input passed via avatar extensions is not properly sanitised before
being used in SQL queries. This can be exploited to manipulate SQL
queries by uploading specially named avatars.

The script allows to sign up with usernames containing zero width
space characters, which can be exploited to e.g. conduct spoofing
attacks.

See also :

http://dev.mybboard.net/issues/464
http://dev.mybboard.net/issues/418
http://www.nessus.org/u?ffbe4fb6
http://www.nessus.org/u?b014c211

Solution :

Update the affected package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 7.1
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 41948 (freebsd_pkg_beb6f4a8add511de8b550030843d3802.nasl)

Bugtraq ID: 36460

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now