The vBulletin team just released a security patch for vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2 to address a SQL injection vulnerability on the member list page. Every vBulletin user needs to upgrade to the latest version asap.
vBulletin is a very popular forum sofware used on more than 100,000 web sites.
Directly from vBulletin.com:
A security issue has been reported to us that affects the versions of vBulletin listed here: 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2 We have released security patches to account for this vulnerability. The issue may allow attackers to perform SQL injection attacks on your database. It is recommended that all users update as soon as possible.
You can download the patch for your version here: http://members.vbulletin.com/patches.php
This vulnerability was discovered by the Romanian Security Team (RST), so it could already be used in the wild on zeroday attacks. If you can’t patch vBulletin, we recommend blocking access to the memberlist page in the mean time.
If you are leveraging the Sucuri Website Firewall product, your website is already protected through our virtual patching signatures.
1 comment
Thou shall not serialize and unserialize but instead json encode and decode.
Comments are closed.