CVE-2005-4199: SQL Injection
First published: Tue Dec 13 2005(Updated: )
Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MyBB | <=1.0 | |
| MyBB | =1.0-beta4 | |
| MyBB | =1.0-pr1 | |
| MyBB | =1.0-rc1 | |
| MyBB | =1.0-rc2 | |
| MyBB | =1.0-rc3 | |
| MyBB | =1.0-rc4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.trapkit.de/advisories/TKPN2005-12-001.txt
- http://community.mybboard.net/showthread.php?tid=5184&pid=30964#pid30964
- http://www.securityfocus.com/bid/15793
- http://secunia.com/advisories/18000
- http://www.trapkit.de/advisories/TKADV2005-12-001.txt
- http://securitytracker.com/id?1015407
- http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0379.html
- http://www.osvdb.org/22156
- http://www.osvdb.org/22157
- http://www.osvdb.org/22158
- http://securityreason.com/securityalert/246
- http://securityreason.com/securityalert/294
- http://www.vupen.com/english/advisories/2005/2842
- http://www.securityfocus.com/archive/1/420159/100/0/threaded
- http://www.securityfocus.com/archive/1/419067/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2005-4199?
CVE-2005-4199 is considered a high severity vulnerability due to its potential to allow remote attackers to execute arbitrary SQL commands.
How do I fix CVE-2005-4199?
To fix CVE-2005-4199, upgrade your MyBulletinBoard (MyBB) installation to version 1.0 or later, which patches the identified SQL injection vulnerabilities.
Which versions are affected by CVE-2005-4199?
CVE-2005-4199 affects MyBB versions prior to 1.0, including version 1.0-rc2, 1.0-rc3, 1.0-rc4, and earlier beta versions.
Can CVE-2005-4199 be exploited remotely?
Yes, CVE-2005-4199 can be exploited remotely by attackers via specific input parameters in MyBB, enabling unauthorized SQL commands.
What are some common attack vectors for CVE-2005-4199?
Common attack vectors for CVE-2005-4199 include manipulating the month, day, year parameters in calendar.php and threadmode, showcodebuttons in usercp.php.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- agent/weakness
- vendor/mybb
- canonical/mybb
- version/mybb/1.0
- version/mybb/1.0-beta4
- version/mybb/1.0-pr1
- version/mybb/1.0-rc1
- version/mybb/1.0-rc2
- version/mybb/1.0-rc3
- version/mybb/1.0-rc4