vBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Upgrade to version 3.0.5 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Open init.php file and search for:

$datastoretemp = $DB_site->query("
SELECT title, data
FROM " . TABLE_PREFIX . "datastore
WHERE title IN ('" . implode("', '", $specialtemplates) . "')
");
unset($specials, $specialtemplates);

So, replace with these lines:

if(!is_array($specialtemplates))
exit;

$specialtemplate = array();
foreach ($specialtemplates AS $arrykey => $arryval) {
$specialtemplate[] = addslashes($specialtemplates["$arrykey"]);
}

$datastoretemp = $DB_site->query("
SELECT title, data
FROM " . TABLE_PREFIX . "datastore
WHERE title IN ('" . implode("', '", $specialtemplate) . "')
");

unset($specials, $specialtemplates, $specialtemplate);

• Other Advisory URL: http://beyonce.beyondsecurity.com/unixfocus/5HP050KEKM.html
• Vendor URL: http://www.vbulletin.com/
• Vendor Specific Solution URL: http://www.vbulletin.com/forum/showthread.php?postid=791268

• al3ndaleeb - al3ndaleebuk2.net -

NVD does not currently have a CVSSv2 score assigned.