[VIM] Vendor ACK of MyBB issue

Steven M. Christey coley at mitre.org
Tue Nov 22 19:41:53 EST 2005


Vendor acknowledgement of CVE-2005-3326 (usercp.php?awayday SQL
injection in MyBB) is at:

  http://community.mybboard.net/showthread.php?tid=4507&pid=27223#pid27223

along with a small reference to a DoS, which is alluded to in
SECUNIA:17577.

The forum post "MyBB PR2 Security Update [1/11/05]" identifies "The
major security issue could allow your board to be compromised via an
SQL injection based vulnerability... discovered on the 26th
October..." and includes usercp.php in the patched files, which shows
cleansing of the awayday parameter.  The date also aligns with the
Bugtraq post.

- Steve


More information about the VIM mailing list