MyBB < 1.1.1 Multiple Script Variable Overwrite

High Nessus Network Monitor Plugin ID 3519

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

The remote version of MyBB does not properly initialize global variables in the 'global.php' and 'inc/init.php' scripts. An unauthenticated attacker can leverage this issue to overwrite global variables through GET and POST requests and launch other attacks against the affected application.

Solution

Upgrade to verison 1.1.1 or higher.

See Also

http://www.securityfocus.com/archive/1/431061/30/0/threaded

http://community.mybboard.net/showthread.php?tid=8232

Plugin Details

Severity: High

ID: 3519

File Name: 3519.prm

Family: CGI

Published: 2004/08/18

Modified: 2016/01/15

Dependencies: 1442

Nessus ID: 21239

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Reference Information

CVE: CVE-2006-1912

BID: 17564, 17872

OSVDB: 24710