vBulletin Last XX Posts last10.php ftitle Parameter SQL Injection

2004-12-22T18:39:47
ID OSVDB:12593
Type osvdb
Reporter al3ndaleeb(al3ndaleeb@uk2.net)
Modified 2004-12-22T18:39:47

Description

Vulnerability Description

vBulletin Last XX Posts contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'ftitle' parameter in the 'last10.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

vBulletin Last XX Posts contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'ftitle' parameter in the 'last10.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/forum/last10.php?ftitle=%20WHERE%20userid=0%20UNION%20SELECT%20null, userid, password, null, null, null, null, null, null%20FROM%20user%20WHERE%20usergroupid=6%20LIMIT%201/*

References:

Vendor URL: http://www.vbulletin.org/forum/showthread.php?t=12324 Other Advisory URL: http://www.securiteam.com/unixfocus/6C00R0KC0I.html