A forum software vBulletin have released the Security patch notification on Wednesday. vBulletin have fixed the SQL injection vulnerability on the latest alpha version o f the software. Romanian Security Team (RST), who were testing the vBulletin 5.x for security issues in order to update their forum found a critical security loopholes in the vBulletin software.
A security researcher goes with the alias 'Nytro' have found the security flaws on the forum software. Researcher explain that a potential attacker could gain access to the database containing the details of the administrators. The security issue was reported to the vBulletin community member last week.
Last week researcher also published the demonstrating video of the exploit showing the SQL injecting leads to access to database of RST and vBulletin too. In the video Nytro shows the database name and MySQL version and its users.
At the mean time, researcher had not made the exploit public, but he says that as the new patched is applied by more forum administrator, he will release the exploit.
Earlier also RST team have reported the XSS vulnerability on the vBulletin 5.1.1 Alpha 9, which allow attacker to inject arbitrary web script or HTML code.
On the blog post vBulletin team says that customers of the cloud service do not need to bother with the patch because it is applied by the maintenance team, and also warned to all forum administrator that the alpha release is not considered suitable for production or live servers.
Last year also vBulletin have been hit by the zeroday SQLinjection, which effects the thousands of popular community forums into the risk. Hackers have exploited the vulnerability with the CUSTID which allow attacker to add administrator privileged account. The vulnerability was in the upgrade page of the software package.
Last year also vBulletin have been hit by the zeroday SQLinjection, which effects the thousands of popular community forums into the risk. Hackers have exploited the vulnerability with the CUSTID which allow attacker to add administrator privileged account. The vulnerability was in the upgrade page of the software package.