CVE-2006-3758

Name of the Vulnerable Software and Affected Versions MyBB (aka MyBulletinBoard) version 1.1.4

Description The issue allows remote attackers to overwrite arbitrary variables due to the extract function being called with EXTR OVERWRITE on HTTP POST and GET variables in the inc/init.php file when Archive Mode (Light) is used. This can be exploited for SQL injection, for example, by manipulating the SERVER[HTTP CLIENT IP] parameter in archive/index.php.

Recommendations For MyBB (aka MyBulletinBoard) version 1.1.4, consider restricting access to the archive mode or temporarily disabling the use of the extract function with EXTR OVERWRITE on HTTP variables until a proper fix is available. Avoid using the SERVER[HTTP CLIENT IP] parameter in the archive/index.php file to minimize the risk of SQL injection exploitation.