Re: Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
From: andy.huang@xxxxxxxxxxxxx
Date: 23 May 2008 01:23:13 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

There is no exploit involved.  Though, there is a bug involved.

The described issue generates an error screen using the links provided; 
however, this is only because there is a bug with single character search 
strings.  Using anything longer than the string mentioned in the initial report 
(1 letter in length) will not generate an error message, and will not allow any 
sql injection.

There is no exploit, this is an invalid entry.

The bug involved can be seen here:
http://www.vbulletin.com/forum/project.php?issueid=25377

Prev by Date: Re: /home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised
Next by Date: [DSECRG-08-024] Multiple Security Vulnerabilities (RFI,LFI,XSS) in QuateCMS
Previous by thread: Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
Next by thread: Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
Index(es):
- Date
- Thread