Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

MyBB <= 1.1.1 showthread.php comma Parameter SQL Injection

Medium

Synopsis

The remote host is vulnerable to a SQL Injection attack.

Description

The remote version of MyBB does not properly parse user-supplied input to the showthread.php script. An attacker can pass data to showthread.php such that, upon parsing, the web server is tricked into sending a malformed SQL query to the backend database. Successful exploitation results in the attacker executing arbitrary SQL commands on the database.

Solution

No solution is known at this time.