[VIM] Security Vulnerability reported in vBulletin 3.0.x (fwd)

Steven M. Christey coley at linus.mitre.org
Tue Apr 25 02:58:30 EDT 2006

inquiry sent to vBulletin sales people... wish they didn't require
registration just to send an email to support.

Basic question is: CVE-2004-0036 was reported in January 2004 in
calendar.php with the eventid parameter, but it appeared to have been
fixed in 2.3.4.  Now we have 3.0.x with the same vectors.  3.0.3 was
released in July 2004 according to this:


but I can't seem to find any older threads.

So, this could be a regression issue where they re-introduced the bug, or
they just didn't fix that issue.

---------- Forwarded message ----------
Date: Tue, 25 Apr 2006 02:50:52 -0400 (EDT)
From: Steven M. Christey <coley at mitre.org>
To: sales   vbulletin.com
Subject: Security Vulnerability reported in vBulletin 3.0.x


I am a computer security professional and the editor for the Common
Vulnerabilities and Exposures (CVE) project.  CVE is a list of
software vulnerabilities, and it is widely used in the computer
security industry.  It is sponsored by the US Department of Homeland
Security.  (http://www.us-cert.gov/cve/, http://cve.mitre.org/)

Recently, a vulnerability in your product was reported to public
sources.  References and a description are included below:

  BUGTRAQ:20060423 vbulletin<--3.0.x SQL Injection

This sounds very similar to an issue that was discovered and fixed in
vBulletin 2.3.4, as reported here:


Is this new vulnerability report accurate?  Is there a different
issue, or did the old issue reappear?

For your convenience, I will share your response with other
vulnerability information sources unless you request otherwise.

Thank you,
Steve Christey
Principal Information Security Engineer
CVE Editor
The MITRE Corporation

More information about the VIM mailing list