[VIM] vBulletin 'upgrade.php' Remote Code Injection Vulnerability
Dinesh Theerthagiri
Dinesh_Theerthagiri at symantec.com
Tue Oct 29 15:01:45 CDT 2013
Thanks for correcting George.
63380 is retired.
62909 is updated accordingly with an exploit code .
Thanks,
T.Dinesh
-----Original Message-----
From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall
Sent: Tuesday, October 29, 2013 1:31 AM
To: Vulnerability Information Managers
Subject: [VIM] vBulletin 'upgrade.php' Remote Code Injection Vulnerability
Dinesh / Narayan / Venkat / Rob : Can you clarify how BID 63380 differs from BID 62909? Both concern vBulletin's install/upgrade.php script. The former was created today and contains as a link http://www.securityfocus.com/archive/1/529467; the latter is from October 10th and links to http://osvdb.org/ref/97/vbulletin-remote.txt. Comparing the PoCs in those two links suggests to me that they're the same issue.
George
--
theall at tenable.com
More information about the VIM
mailing list