The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
'last.php' 3rd Party vBulletin Hack Lets Remote Users Inject SQL Commands
Input Validation Error in 'last.php' 3rd Party vBulletin Hack Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID: *removed* SecurityTracker URL: *link removed* CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Updated: Nov 12 2004 Original Entry Date: Nov 11 2004 Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information Exploit Included: Yes Description: An input validation vulnerability was reported in the 'last.php' hack for vBulletin. A remote user can inject SQL commands. The script is a 3rd party product and is not part of the vBulletin product. Dr. Death reported that 'last.php' does not properly validate user-supplied input in the 'fsel' parameter. A remote user can submit a specially crafted HTTP request to inject SQL commands on the underlying database. A demonstration exploit is provided: *removed* Impact: A remote user can execute SQL commands on the underlying database. Solution: No solution was available at the time of this entry. Cause: Input validation error Underlying OS: Linux (Any), UNIX (Any), Windows (Any) Reported By: "Dr. Death" <drdeath4ever@hotmail.com> Message History: None. __________________________________________________ ______________ Date: Thu, 11 Nov 2004 05:29:44 +0000 From: "Dr. Death" <drdeath4ever@hotmail.com> Subject: SQL injection in vBulletin forums (last10.php) hi all, a new SQL injection found in VBulletin Forums 3.0.x the Vulnerabilite found in last.php, last 10 topics hack. *removed* to solve the problem delet fsel? from ttlast.php and last10.php Best Regards, Dr.Death THE MAN OF THE DARK SIDE NEWS LINK:h*removed* |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|