Mybb Cms (private.php Page) Denial Of Service Vulnerability

2016-04-14 14:54:35
Posted by: irist.ir

#################################

#
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@
#

#####################################

#####################################

# Iranian Exploit DataBase

# Mybb Cms (private.php Page) Denial Of Service Vulnerability

# Vulnerability : Denial Of Service - Dos

# Vulnerability on : (Search In private.php Page)

# Version : 1.6* and 1.8.*

# tested : 1.6.18 and 1.8.7

# Vendor site : http://mybb.com/

# Author : IeDb.Ir

# Site : Www.IeDb.Ir - Www.IeDb.Ir/acc - xssed.Ir - kkli.ir

# Vulnerability attack information site : http://xssed.Ir/

# Archive Exploit = http://kkli.ir/zcnux

#####################################

# Bug :

http://www.site.com/mybb/private.php

Post Method :

my_post_key=[user Post Key]&keywords=[Dos]&quick_search=[Dos]&fromfid=0&fid=1&jumpto=1&action=do_stuff


-----------------------------


# Description :

Hello.
This security problem in one of the files related to mybb portal that can be used with it, in this disturbed system.

Variables that can use it:
keywords
quick_search

These variables are within the portal. You can also use a powerful program, it has a very long input, and disrupt the mybb system.
the portal will be unavailable.
Try a very long entrance give it better performance.

You can also use a program written in Perl and use it to disrupt the system


This section of the portal does not check its input.
That's why you can get a very heavy input given to it, and repeat the command several times in a row
The site can not process them all and this will cause the portal unavailable

To Fix this, please refer to the iedb.ir and iedb.ir/acc site.
No bugs files will be placed at the following link:

http://iedb.ir/acc/thread-3164.html

--------------

Exploit And Ddoser is private.
The exploit only to send the news and is also in the process of this vulnerability.
To request exploits, stay tuned with us:

http://iedb.ir

http://iedb.ir/acc/

http://irist.ir

http://xssed.ir

email : [email protected]

tnks to : All Member In Iedb.ir and Iedb.ir/acc and And all the other friends that are associated with our team.

#####################################

# Archive Exploit = http://iedb.ir/exploits-5032.html

#####################################

Fixes

No fixes

In order to submit a new fix you need to be registered.