VBulletin Search UI Multiple SQL Injection Vulnerabilities Network Vulnerability

Summary

The host is running Vbulletin and is prone to multiple SQL injection vulnerabilities.

Impact

Successful exploitation will allow attacker to cause SQL Injection attack and gain sensitive information. Impact Level: Application

Solution

Apply the patch from below link, https://www.vbulletin.com/forum/showthread.php/384249-vBulletin-4.X-Security-Patch

Insight

The flaw is caused by improper validation of user-supplied input via the 'messagegroupid' and 'categoryid' parameters in search.php, which allows attacker to manipulate SQL queries by injecting arbitrary SQL code.

Affected

Vbulletin versions 4.0.x through 4.1.3.

References

http://osvdb.org/show/osvdb/71675
http://packetstormsecurity.org/files/view/103197/vbulletinsearchui-sql.txt
http://packetstormsecurity.org/files/view/103198/vbulletinmgi-sql.txt
http://secunia.com/advisories/45290

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities
Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability
ArticleFR CMS 'id' Parameter SQL Injection Vulnerability
Arkeia Appliance Multiple Vulnerabilities

vBulletin Search UI Multiple SQL Injection Vulnerabilities

Take action and discover your vulnerabilities