Announcement

Collapse
No announcement yet.

Potential SQL Injection exploit in faq.php?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Potential SQL Injection exploit in faq.php?

    Code:
    Database error in vBulletin 3.7.0:
    Invalid SQL:
      SELECT varname AS faqname, fieldname
      FROM phrase AS phrase
      WHERE phraseid IN(195865, 195864, 195863, 195862, 195861, 195860, 195859, 195858, 195857, 195856, 195855, 195854, 195853, 195852, 195851, 195850, 195849, 195848, 195847, 195846, 195845, 195844, 195843, 195842, 195841, 195840, 195839, 195838, 195837, 195836, 195835, 195834, 195833, 195832, 195831, 195830, 195829, 195828, 195827, 195826, 195825, 195824, 195907, 195905, 195906, 195904, 195903, 195902, 195901, 195900, 195899, 195898, 195897, 195896, 195895, 195894, 195893, 195892, 195890, 195891, 195889, 195888, 195887, 195886, 195885, 195883, 195884, 195882, 195881, 195880, 195879, 195878, 195877, 195876, 195875, 195874, 195869, 195870, 195871, 195872, 195873, 195866, 195867, 195868, 186315, 186316, 186317, 186318, 186319, 186320, 186321, 186322, 186323, 186324, 186325, 186326, 186327, 186328, 186329, 186330, 186331, 186332, 186333, 186334, 186335, 186336, 186337, 186338, 186339, 186340, 186341, 186342, 186343, 186344, 186345, 186346, 186347, 186348, 186349, 186350, 186351, 186352, 186353, 186354, 186355, 186356, 186357, 186358, 186359, 186360, 186361, 186362, 186363, 186364, 186365, 186366, 186367, 186368, 186369, 186370, 186371, 186372, 186373, 186374, 186375, 186376, 186377, 186378, 186379, 186380)
       AND ();
    MySQL Error   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 4
    Error Number  : 1064
    Request Date  : Monday, May 26th 2008 @ 12:02:55 AM
    Error Date    : Monday, May 26th 2008 @ 12:02:55 AM
    Script        : faq.php?s=&do=search&q=a&match='%20or%201=1;&titlesonly='%20or%201=1
    Referrer      : 
    IP Address    : Truncated
    Username      : Unregistered
    Classname     : vB_Database
    MySQL Version :
    I had a user constantly trying different things, to prevent anything bad from happening I simply temporarily removed my faq.php.
    http://www.voogru.com
    http://forums.voogru.com

  • #2
    There is no security issue; it is a bug that is causing this error: http://www.vbulletin.com/forum/proje...?issueid=25377
    Best Regards,
    Andy Huang

    Comment


    • #3
      Okay. Was just being extra careful
      http://www.voogru.com
      http://forums.voogru.com

      Comment


      • #4
        You can patch it now if you are really super duper worried, the diff file is provided
        Best Regards,
        Andy Huang

        Comment

        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
        Working...
        X