The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
'last.php' 3rd Party vBulletin Hack Lets Remote Users Inject SQL Commands
Input Validation Error in 'last.php' 3rd Party vBulletin Hack Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID: *removed* SecurityTracker URL: *link removed* CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Updated: Nov 12 2004 Original Entry Date: Nov 11 2004 Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information Exploit Included: Yes Description: An input validation vulnerability was reported in the 'last.php' hack for vBulletin. A remote user can inject SQL commands. The script is a 3rd party product and is not part of the vBulletin product. Dr. Death reported that 'last.php' does not properly validate user-supplied input in the 'fsel' parameter. A remote user can submit a specially crafted HTTP request to inject SQL commands on the underlying database. A demonstration exploit is provided: *removed* Impact: A remote user can execute SQL commands on the underlying database. Solution: No solution was available at the time of this entry. Cause: Input validation error Underlying OS: Linux (Any), UNIX (Any), Windows (Any) Reported By: "Dr. Death" <drdeath4ever@hotmail.com> Message History: None. __________________________________________________ ______________ Date: Thu, 11 Nov 2004 05:29:44 +0000 From: "Dr. Death" <drdeath4ever@hotmail.com> Subject: SQL injection in vBulletin forums (last10.php) hi all, a new SQL injection found in VBulletin Forums 3.0.x the Vulnerabilite found in last.php, last 10 topics hack. *removed* to solve the problem delet fsel? from ttlast.php and last10.php Best Regards, Dr.Death THE MAN OF THE DARK SIDE NEWS LINK:h*removed* |
#2
|
||||
|
||||
I would suggest altering the author
|
#3
|
|||
|
|||
it's better to know wich hack this is, so the maker of the hack can be notified?
|
#4
|
||||
|
||||
i found this today and i writed here i think that this is not a bug is a backdoor for hacking.
|
#5
|
||||
|
||||
Quote:
|
#6
|
|||
|
|||
Quote:
I think he might have got a bit confused with your first reply Quote:
|
#7
|
||||
|
||||
I have removed your link and exploit details in case any malicious user here decided to take advantage. I've maintained a copy of your post behind the scenes for the staff to take a look at. Thankyou for alerting us and we'll contact the author.
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|