CVE-2006-1912
CVE-2006-1912
MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site scripting (XSS) or SQL injection attacks.
Affected products
n/a · n/apublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/27667unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://community.mybboard.net/showthread.php?tid=8232http://myimei.com/security/2006-04-14/mybb110globalphpparameterextracting.htmlhttp://secunia.com/advisories/19668https://exchange.xforce.ibmcloud.com/vulnerabilities/25865http://www.osvdb.org/24710http://www.osvdb.org/24711http://www.securityfocus.com/archive/1/431061/30/5580/threadedhttp://www.vupen.com/english/advisories/2006/1381