MyBB Profile Album Plugin 'alipay' parameter SQL Injection Vulnerability
Release date:
Updated on:
Affected Systems:
MyBB Profile Album 0.9
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55943
MyBB is a popular Web forum program.
The Profile Album plug-in has a security vulnerability. After successful exploitation, attackers can control applications, access or modify data, and exploit other potential vulnerabilities.
<* Source: Th3FreakPony
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/albums.php? Action = editimage & amp; image = [Vaild_ID] & amp; album = [Vaild_album_ID] [SQLi]
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
MyBB
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.mybboard.com/