Tweet
...This exploit?:
Is vb3.0.3 secure now?
The patch?... when?
I don't want to try... if this exploit exist.
Code:
SQL injection in vBulletin forums Date: Nov 11 2004 Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information Exploit Included: Yes Version(s): 3.0.x Description: An input validation vulnerability was reported in vBulletin in 'last.php'. A remote user can inject SQL commands. Dr. Death reported that 'last.php' does not properly validate user-supplied input in the 'fsel' parameter. A remote user can submit a specially crafted HTTP request to inject SQL commands on the underlying database. A demonstration exploit is provided: last.php?fsel=,user.password%20as%20title,u ser.%20 %20%20%20username%20as%20lastposter%20FROM%20user, thread%20%20%20%20%20WHERE%20usergroupid=6%20LIMIT %201 Impact: A remote user can execute SQL commands on the underlying database. Solution: No solution was available at the time of this entry. Vendor URL: www.vbulletin.com/ (Links to External Site) Cause: Input validation error Underlying OS: Linux (Any), UNIX (Any), Windows (Any) Reported By: "Dr. Death" <[email protected]>
The patch?... when?
I don't want to try... if this exploit exist.
Comment