Articles for tag "MyBB 1.8.6": 4

MyBB 1.8.6: CSRF, Weak Hashing, Plaintext Passwords
2016 Sep 15

MyBB 1.8.6: CSRF, Weak Hashing, Plaintext Passwords

MyBB 1.8.6 is vulnerable to login CSRF. Additionally, it stores passwords using weak hashing, and sends passwords via email in plaintext.

MyBB 1.8.6: XSS
2016 Sep 15

MyBB 1.8.6: XSS

MyBB is forum software written in PHP. In version 1.8.6, it contains various XSS vulnerabilities, some of which are reflected and some of which are persistent. Some of them depend on custom forum or server settings. These issues may lead to the injection of JavaScript keyloggers, injection of content such as ads, or the bypassing of CSRF protection, which would for example allow the creation of a new admin user.

MyBB 1.8.6: SQL Injection
2016 Sep 15

MyBB 1.8.6: SQL Injection

MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a second order SQL injection by an authenticated admin user, allowing the extraction of data from the database.

MyBB 1.8.6: Improper validation of data passed to eval
2016 Sep 15

MyBB 1.8.6: Improper validation of data passed to eval

MyBB is forum software written in PHP. In version 1.8.6, it improperly validates templates that are passed to eval, allowing for the disclosure of the database password. If the database is writable from remote, it may also lead to code execution. An admin account is required.