|
|
Info |
Last Modified |
| about 1 year ago |
|
|
|
|
|
Description |
vBulletin contains a flaw that may allow a malicious user to inject and execute arbitrary PHP code, because nested input passed to the "template" parameter in "misc.php" isn't properly verified and can be exploited. The issue is triggered when the "Add Template Name in HTML Comments" option is enabled. It is possible that the flaw may allow the injection and execution of arbitrary PHP code resulting in a loss of confidentiality and integrity.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
|
|
Solution |
Upgrade to version 3.0.7 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the "Add Template Name in HTML Comments" option
|
|
Products |
|
Forum
 |
3.0.6 |
|
|
|
|
|
|
|
Credit |
- pokleyzz - pokleyzz
scan-associates.net - SCAN Associates Sdn. Bhd.
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|