[VIM] Security Vulnerability reported in vBulletin 3.0.x (fwd)
Steven M. Christey
coley at linus.mitre.org
Tue Apr 25 02:58:30 EDT 2006
inquiry sent to vBulletin sales people... wish they didn't require
registration just to send an email to support.
Basic question is: CVE-2004-0036 was reported in January 2004 in
calendar.php with the eventid parameter, but it appeared to have been
fixed in 2.3.4. Now we have 3.0.x with the same vectors. 3.0.3 was
released in July 2004 according to this:
http://www.vbulletin.com/forum/showthread.php?t=109435
but I can't seem to find any older threads.
So, this could be a regression issue where they re-introduced the bug, or
they just didn't fix that issue.
---------- Forwarded message ----------
Date: Tue, 25 Apr 2006 02:50:52 -0400 (EDT)
From: Steven M. Christey <coley at mitre.org>
To: sales vbulletin.com
Subject: Security Vulnerability reported in vBulletin 3.0.x
Hello,
I am a computer security professional and the editor for the Common
Vulnerabilities and Exposures (CVE) project. CVE is a list of
software vulnerabilities, and it is widely used in the computer
security industry. It is sponsored by the US Department of Homeland
Security. (http://www.us-cert.gov/cve/, http://cve.mitre.org/)
Recently, a vulnerability in your product was reported to public
sources. References and a description are included below:
BUGTRAQ:20060423 vbulletin<--3.0.x SQL Injection
URL:http://www.securityfocus.com/archive/1/431901
This sounds very similar to an issue that was discovered and fixed in
vBulletin 2.3.4, as reported here:
http://www.vbulletin.com/forum/showthread.php?postid=588825
Is this new vulnerability report accurate? Is there a different
issue, or did the old issue reappear?
For your convenience, I will share your response with other
vulnerability information sources unless you request otherwise.
Thank you,
Steve Christey
Principal Information Security Engineer
CVE Editor
The MITRE Corporation
More information about the VIM
mailing list