ORIGINAL ADVISORY:
myimei.com/security/2006-06-21/mybb113option-update-for-code-buttonssql-injection-admin-access.html
-Summary-
Software: MyBB
Sowtwares Web Site: http://www.mybboard.com
Versions: 1.1.3
Class: Remote
Status: Patched
Exploit: Available
Discovered by: imei addmimistrator
Risk Level: very high
Description
There is a security bug in MyBB 1.1.3 software (latest version fully patched) file usercp.php that allows attacker performe a SQLINJECTION attack.
bug is in result of poor checking quotations for user suplied variables in integer format while code try to cast string to integers and also forgetting to addslashing varables that will insert into a sql query.
Because this bug is in an INSERT query on user tables, there is an easy way to make your self, forums admin, also other attacks are possible too.
See Also
{usercp.php}near 721
if($mybb->input[showcodebuttons] != 1)
{
$mybb->input[showcodebuttons] = 0;
}
Exploit-
mybb/usercp.php?action=do_options&
showcodebuttons=1,additionalgroups=4
Solution
upgrade to vendors provided patch
Credit
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
www.myimei.com
myimei.com/security

-------

By FarhadKey On 22 Jun 2006