Secunia

Some vulnerabilities have been reported in MyBB, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to compromise a vulnerable system.

1) Input passed to the "sortby" parameter in forumdisplay.php and search.php (when "action" is set to "results") is not properly sanitised before being used in "eval()" calls. This can be exploited to inject and execute arbitrary PHP code via a specially crafted parameter value.

Successful exploitation of this vulnerability requires knowledge of valid "fid" values for forumdisplay.php and valid "sid" values for search.php.

2) Input passed to the "mergepost" array parameter (when "action" is set to "do_mergeposts"), "rid" (when "action" is set to "allreports"), and "threads" (when "action" is set to "do_multimovethreads") in moderation.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires valid moderator credentials.

3) Input passed to the "request" array parameter and "gid" in admin/usergroups.php (when "action" is set to "do_joinrequests") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires valid admin credentials.

The vulnerabilities are reported in version 1.2.10 and all previous 1.2.x releases. Other versions may also be affected.

Solution
Update to version 1.2.11.
Further details available in Customer Area

Provided and/or discovered by
1) Janek Vind a.k.a. waraxe, koziolek
2) Janek Vind a.k.a. waraxe
3) Janek Vind a.k.a. waraxe

Changelog
Further details available in Customer Area

Original Advisory
MyBB:
http://community.mybboard.net/showthread.php?tid=27227

Janek Vind:
1) http://www.waraxe.us/advisory-61.html
2, 3) http://www.waraxe.us/advisory-62.html

Deep Links
Links available in Customer Area