MyBB User Profile Skype ID plug-in 'skype parameter SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
MyBB User Profile Skype ID
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57096
 
The User Profile Skype ID plug-in allows users to place their Skype IDs in their configuration files.
 
User Profile Skype ID does not verify the legitimacy of the "skype" parameter in profileskype. php, which can cause the SQL code injection vulnerability. Remote attackers can execute arbitrary database operations through SQL statements.
 
<* Source: Zixem
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
<? Php
$ Plugins-> add_hook ("datahandler_user_update", "profileskype_update");/* Line 15 */

Function profileskype_update ($ skype)/* Line 167 */
{
Global $ mybb;

If (isset ($ mybb-> input ['skype '])
{
$ Skype-> user_update_data ['skype '] = $ mybb-> input ['skype'];
}
}

?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
MyBB
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://mods.mybb.com/view/user-profile-skype-id