Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-1912

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2006-1912
Last Modified 07 Mar 2011 09:34:32
Published 20 Apr 2006 02:06:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2006-1912

Summary

MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site scripting (XSS) or SQL injection attacks.

Vulnerable Systems

Application

  • Mybulletinboard 1.10


References

XF - mybb-global-init-data-manipulation(25865)

VUPEN - ADV-2006-1381

OSVDB - 24711

OSVDB - 24710

SECUNIA - 19668

MISC - http://myimei.com/security/2006-04-14/mybb110globalphpparameterextracting.html

CONFIRM - http://community.mybboard.net/showthread.php?tid=8232

BUGTRAQ - 20060415 [KAPDA]MyBB1.1.0~global.php~ParameterExtracting


Last Updated: 27 May 2016 10:42:15