| VID |
21462 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The vBulletin software has an SQL Injection Vulnerability in the "Last 10 Posts" script.
vBulletin is a PHP-based Web forum developed by Jelsoft Enterprises that uses a MySQL database. The last10.php, an unofficial plugin for vBulletin allows users to add a revolving ticker showing the last10 topics of his/her forum. Last 10 Posts 2.0.1 and possibly other versions are vulnerable to an SQL Injection attack, caused by a failure of the application to properly sanitize user-supplied URI data prior to including it in an SQL query. By sending a specially-crafted request to the 'last10.php' script containing embedded SQL commands in the '$fsel' and '$ftitle' parameter, a remote attacker could obtain sensitive information and add, modify or delete data in the backend database.
* Platforms Affected:
Jelsoft Enterprises Limited, Last 10 Posts for vBulletin version 2.0.1
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to the fixed version of vBulletin, when new fixed version becomes available from the vBulletin Download page at http://www.vbulletin.com/download.php |
| Related URL |
CVE-2004-1515 (CVE) |
| Related URL |
11825 (SecurityFocus) |
| Related URL |
(ISS) |
|
