| VID |
21359 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The vBulletin installed on the remote web server has a 'calendar.php' SQL Injection Vulnerability.
vBulletin is a PHP-based Web forum developed by Jelsoft Enterprises that uses a MySQL database. vBulletin version 2.3.x before 2.3.4 are vulnerable to a SQL Injection in 'calendar.php' script, caused by a failure of the application to properly sanitize user-supplied URI input. By embedding arbitrary SQL code to the 'calendar.php' script, a remote attacker could obtain sensitive information, and possibly add, modify or delete data in the backend database.
* References:
http://archives.neohapsis.com/archives/bugtraq/2004-01/0027.html
* Platforms Affected:
Jelsoft Enterprises Limited, vBulletin 2.3.xx and earlier
Linux Any version
Microsoft Windows Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of vBulletin (3.0.3 or later), available from the vBulletin Download page at http://www.vbulletin.com/download.php |
| Related URL |
CVE-2004-0036 (CVE) |
| Related URL |
9360 (SecurityFocus) |
| Related URL |
14144 (ISS) |
|
