MyBB MyStatus 3.1

vendor:

MyStatus

by:

Mario_Vs

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: MyStatus

Affected Version From: 3.1

Affected Version To: 3.1

Patch Exists: NO

Related CWE: N/A

CPE: a:mybb:mystatus:3.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2011

MyBB MyStatus 3.1 is vulnerable to a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a crafted HTTP request to the process-mystatus.php script with the action parameter set to delete and the statid parameter set to a malicious SQLi payload.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

---------------------------------------------------------------------
Exploit Title : MyBB MyStatus 3.1
---------------------------------------------------------------------

Author      : Mario_Vs
Date        : 10/10/2011
Site        : http://mariovs.pl/
@  	    : mario_vs[at]o2.pl
---------------------------------------------------------------------

Description >

Vendor 	    : http://mods.mybb.com/download/mystatus
Tested On   : Windows 7
---------------------------------------------------------------------

SQL Injection

http://localhost/mybb/process-mystatus.php?action=delete&statid=[SQLi]
---------------------------------------------------------------------

---------------------------------------------------------------------

Greets To: linc0ln.dll, j4ck, lDoran, ElusiveN, d3dik, thc_flow, PricK, artii2

All users: HackinQ.pl