VBulletin Search UI Multiple SQL Injection Vulnerabilities Network Vulnerability

Summary

The host is running Vbulletin and is prone to multiple SQL injection vulnerabilities.

Impact

Successful exploitation will allow attacker to cause SQL Injection attack and gain sensitive information. Impact Level: Application

Solution

Apply the patch from below link, https://www.vbulletin.com/forum/showthread.php/384249-vBulletin-4.X-Security-Patch

Insight

The flaw is caused by improper validation of user-supplied input via the 'messagegroupid' and 'categoryid' parameters in search.php, which allows attacker to manipulate SQL queries by injecting arbitrary SQL code.

Affected

Vbulletin versions 4.0.x through 4.1.3.

References

http://osvdb.org/show/osvdb/71675
http://packetstormsecurity.org/files/view/103197/vbulletinsearchui-sql.txt
http://packetstormsecurity.org/files/view/103198/vbulletinmgi-sql.txt
http://secunia.com/advisories/45290

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

ASAS Server End User Self Service (EUSS) SQL Injection Vulnerability
Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
Apache Struts ClassLoader Manipulation Vulnerabilities
Artmedic Kleinanzeigen File Inclusion Vulnerability
Alchemy Eye HTTP Command Execution

vBulletin Search UI Multiple SQL Injection Vulnerabilities

Take action and discover your vulnerabilities