A serious SQL injection vulnerability was reported on Vbulletin (4.0.x, 4.1.0, 4.1.1 and 4.1.2) last month and we are starting to see it being used to attack and infect forums using it. The vulnerability is very simple and explained here:
Multiple vBulletin Products ‘Search Multiple Content Types’ SQL Injection Vulnerability
Multiple vBulletin products are prone to an SQL-injection vulnerability because the applications fail to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The following example data are available:
&cat=1) UNION SELECT database()#
&cat=1) UNION SELECT table_name FROM information_schema.tables#
&cat=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
There is even a video on Youtube showing how to do it:
*Thanks to Marcus Maciel for the reminder and help.
Leave a reply