FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mybb -- multiple vulnerabilities

Affected packages
mybb < 1.4.9

Details

VuXML ID beb6f4a8-add5-11de-8b55-0030843d3802
Discovery 2009-09-21
Entry 2009-09-30

mybb team reports:

Input passed via avatar extensions is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by uploading specially named avatars.

The script allows to sign up with usernames containing zero width space characters, which can be exploited to e.g. conduct spoofing attacks.

References

Bugtraq ID 36460
URL http://blog.mybboard.net/2009/09/21/mybb-1-4-9-released-security-update/
URL http://dev.mybboard.net/issues/418
URL http://dev.mybboard.net/issues/464
URL http://secunia.com/advisories/36803