| VID |
21492 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The vBulletin software is vulnerable to an arbitrary PHP script code execution vulnerability in the misc.php. vBulletin is a PHP-based Web forum, developed by Jelsoft Enterprises, that uses a MySQL database. vBulletin versions 3.0.6 and earlier could allow a remote attacker to inject and execute arbitrary PHP code, caused by improper validation in the "template" parameter in "misc.php" script. If 'Add Template Name in HTML Comments' functionality is enabled, a remote attacker could execute arbitrary PHP code via nested variables in the template parameter of the misc.php script.
* References:
http://secunia.com/advisories/14326/
http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0468.html
* Platforms Affected:
Jelsoft Enterprises Limited, vBulletin versions 3.0.6 and earlier
Any Operating system Any version |
| Recommendation |
Upgrade to the latest version of vBulletin (3.0.7 or later), available from the vBulletin Download Web page at http://www.vbulletin.com/download.php |
| Related URL |
CVE-2005-0511 (CVE) |
| Related URL |
12622 (SecurityFocus) |
| Related URL |
19434 (ISS) |
|
