Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

MyBB < 1.1.6 HTTP Header CLIENT-IP Field SQL Injection



The remote web server contains a PHP application that is susceptible to a SQL injection attack.


The remote version of MyBB fails to sanitize input to the 'CLIENT-IP' request header before using it in a database query when initiating a sesion in 'inc/class_session.php'. This may allow an unauthenticated attacker to uncover sensitive information such as password hashes, modify data, launch attacks against the underlying database, and more. Note that successful exploitation is possible regardless of PHP's settings.


Upgrade to version 1.1.6 or higher.