MyBB < 1.1.6 HTTP Header CLIENT-IP Field SQL Injection
Medium Nessus Network Monitor Plugin ID 3689
The remote web server contains a PHP application that is susceptible to a SQL injection attack.
The remote version of MyBB fails to sanitize input to the 'CLIENT-IP' request header before using it in a database query when initiating a sesion in 'inc/class_session.php'. This may allow an unauthenticated attacker to uncover sensitive information such as password hashes, modify data, launch attacks against the underlying database, and more. Note that successful exploitation is possible regardless of PHP's settings.