[VIM] Security Vulnerability reported in vBulletin 3.0.x (fwd)
Steven M. Christey
coley at linus.mitre.org
Tue Apr 25 02:58:30 EDT 2006
inquiry sent to vBulletin sales people... wish they didn't require
registration just to send an email to support.
Basic question is: CVE-2004-0036 was reported in January 2004 in
calendar.php with the eventid parameter, but it appeared to have been
fixed in 2.3.4. Now we have 3.0.x with the same vectors. 3.0.3 was
released in July 2004 according to this:
but I can't seem to find any older threads.
So, this could be a regression issue where they re-introduced the bug, or
they just didn't fix that issue.
---------- Forwarded message ----------
Date: Tue, 25 Apr 2006 02:50:52 -0400 (EDT)
From: Steven M. Christey <coley at mitre.org>
To: sales vbulletin.com
Subject: Security Vulnerability reported in vBulletin 3.0.x
I am a computer security professional and the editor for the Common
Vulnerabilities and Exposures (CVE) project. CVE is a list of
software vulnerabilities, and it is widely used in the computer
security industry. It is sponsored by the US Department of Homeland
Security. (http://www.us-cert.gov/cve/, http://cve.mitre.org/)
Recently, a vulnerability in your product was reported to public
sources. References and a description are included below:
BUGTRAQ:20060423 vbulletin<--3.0.x SQL Injection
This sounds very similar to an issue that was discovered and fixed in
vBulletin 2.3.4, as reported here:
Is this new vulnerability report accurate? Is there a different
issue, or did the old issue reappear?
For your convenience, I will share your response with other
vulnerability information sources unless you request otherwise.
Principal Information Security Engineer
The MITRE Corporation
More information about the VIM