[原文]Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 with Security Patch allow remote attackers to execute arbitrary SQL commands via the Username field in (1) index.php or (2) member.php, action parameter to (3) search.php or (4) member.php, or (5) polloptions parameter to polls.php.
MyBulletinBoard (MyBB) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'username' variable. This will allow an attacker to inject or manipulate SQL queries in the back-end database, including logging in as the site administrator and full access to the Admin Control Panel.
Currently, there are no known upgrades to correct this issue. However, the MyBB Group has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround: set the magic_quotes_gpc PHP option to 'on'.