MyBB <= 1.1.1 showthread.php comma Parameter SQL Injection
Medium Nessus Network Monitor Plugin ID 3561
SynopsisThe remote host is vulnerable to a SQL Injection attack.
DescriptionThe remote version of MyBB does not properly parse user-supplied input to the showthread.php script. An attacker can pass data to showthread.php such that, upon parsing, the web server is tricked into sending a malformed SQL query to the backend database. Successful exploitation results in the attacker executing arbitrary SQL commands on the database.
SolutionNo solution is known at this time.