Vulnerability Development mailing list archives
RE: vBulletin Security Vulnerability
From: "Ferruh Mavituna" <ferruh () mavituna com>
Date: Fri, 23 Jan 2004 07:06:32 +0200
Hello; This must be an option or something like that in new vBulletin, After a small search on Google you can find all "vBulletin v3.0.0 Beta 7" forums. --------------------------------------------------------------------------- "We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft." --------------------------------------------------------------------------- Not "a site", most of them vulnerable. If you provide this customization yes vBulletin is not vulnerable but "Jelsoft customizations" are vulnerable. And most of these forums have register.php "Standard / Quick" selection and "regtype" hidden field. Almost %80 of your customers are vulnerable. Ferruh.Mavituna http://feruh.mavituna.com PGPKey : http://ferruh.mavituna.com/PGPKey.asc -----Original Message----- From: Kier Darby [mailto:kier () vbulletin com] Sent: Wednesday, January 21, 2004 10:36 PM To: vuln-dev () securityfocus com Subject: Re: vBulletin Security Vulnerability In-Reply-To: <20040120190824.GA4674 () natalya rebby com> No patch has been issued for this 'vulnerability' because no vulnerability exists. There is no hidden field called "reg_site", nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft.
Current thread:
- vBulletin Security Vulnerability gcf (Jan 20)
- Re: vBulletin Security Vulnerability Curt Rebelein Junior (Jan 21)
- Re: vBulletin Security Vulnerability Curt Rebelein Junior (Jan 21)
- RE: vBulletin Security Vulnerability Ferruh Mavituna (Jan 21)
- <Possible follow-ups>
- Re: vBulletin Security Vulnerability Kier Darby (Jan 22)
- RE: vBulletin Security Vulnerability Ferruh Mavituna (Jan 23)
- RE: vBulletin Security Vulnerability Scott MacVicar (Jan 23)
- RE: vBulletin Security Vulnerability - POC Ferruh Mavituna (Jan 26)