MyBB 1.2 Local File Incusion

---

• From: o.y.6@xxxxxxxxxxx, ""@securityfocus.com, D3vil-0x1@xxxxxxxxxxxxxxxxx
• Date: 30 Jan 2006 10:38:29 -0000

---

Invalid characters removed from From: o.y.6@xxxxxxxxxxx, |@securityfocus.com,

#### D3vil-0x1 MyBB Bug ###
## Local File Inclusion
##
## MyBB 1.2 -> Admin Can Include Local File :)

## File :- admin/plugins.php

Line :- 51
//*

if($mybb->input['action'] == "activate")

{

$codename = $mybb->input['plugin']; << Input From POST

$file = $codename.".php"; << Set File Type [ we can remove the type by NULL ( %00 ) ]

if($mybb->input['activate'])

{

.....
.....

}

elseif($mybb->input['deactivate'])

{

.....
.....

}



include "./inc/plugins/$file"; << Include BIG BUG :P

*//
#---------------------------------------------------------#

---

• Prev by Date: BlackWorm: statistics and numbers
• Next by Date: XSS flaw in MG2 Image Gallery (v.0.5.1)
• Previous by thread: BlackWorm: statistics and numbers
• Next by thread: XSS flaw in MG2 Image Gallery (v.0.5.1)
• Index(es):
  • Date
  • Thread

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)