SQL Injection Vulnerabilities Fixed in MyBB 1.6.7

Many of the addressed flaws affected the Admin Control Panel

By on April 2nd, 2012 09:52 GMT

MyBB 1.6.7 was released not only as a maintenance and security update, but also as one that addresses a few vulnerabilities which in certain circumstances may have allowed cybercriminals to cause some serious damage to affected forums.

In this variant, 70 bugs were fixed and 5 new feature updates were made. However, MyBB Group reveals that not all the issues have been resolved.

Regarding the vulnerabilities that affect the previous versions of MyBB, apparently they are low-risk because an attacker would require administrator privileges in order to be able to exploit them.

The list of security holes includes SQL Injection flaws in the user search, Mail Login, and User Inline Moderation modules of the Admin Control Panel (ACP). The ACP is also susceptible to cross-site scripting (XSS) attacks if an orphaned attachment has a malformed filename.

A full path disclosure issue is fixed, the vulnerability being triggered if a malformed forumread cookie is used.

MyBB customers are advised to immediately update to the latest version.

MyBB 1.6.7 is available for download

here


Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.
MyBB 1.6.7 released
   MyBB 1.6.7 released
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments