You can now find Cyber Kendra on Google News!

vBulletin Fixed Critical SQL injection vulnerability

vBulletin Fixed Critical SQL injection vulnerability, SQLi in vbulletin, vBulletin forum hacked, xss on vBulletin 5, latest vBulletin forum vulnerable, security of vBulletin forum, vBulletin forum hacked, review of vBulletin software
vBulletin Fixed Critical SQL injection vulnerability, SQLi in vbulletin, vBulletin forum hacked, xss on vBulletin 5, latest vBulletin forum vulnerable, security of vBulletin forum, vBulletin forum hacked, review of vBulletin software

A forum software vBulletin have released the Security patch notification on Wednesday. vBulletin have fixed the SQL injection vulnerability on the latest alpha version o f the software.  Romanian Security Team (RST), who were testing the vBulletin 5.x for security issues in order to update their forum found a critical security loopholes in the vBulletin software.

A security researcher goes with the alias 'Nytro' have found the security flaws  on the forum software. Researcher explain that a potential attacker could gain access to the database containing the details of the administrators. The security issue was reported to the vBulletin community member last week.

The current security patch addresses this vulnerability in vBulletin versions 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2. Patches for all these releases are available on this page and users are recommended to perform the update as soon as possible.

Last week researcher also published the demonstrating video of the exploit showing the SQL injecting leads to access to database of RST and vBulletin too. In the video Nytro shows the database name and MySQL version and its users.


At the mean time, researcher had not made the exploit public, but he says that as the new patched is applied by more forum administrator, he will release the exploit. 

Earlier also RST team have reported the XSS vulnerability on the vBulletin 5.1.1 Alpha 9, which allow attacker to inject arbitrary web script or HTML code. 

On the blog post vBulletin team says that customers of the cloud service do not need to bother with the patch because it is applied by the maintenance team, and also warned to all forum administrator that the alpha release is not considered suitable for production or live servers.

Last year also vBulletin have been hit by the zeroday SQLinjection, which effects the thousands of popular community forums into the risk. Hackers have exploited the vulnerability with the CUSTID which allow attacker to add administrator privileged account. The vulnerability was in the upgrade page of the software package. 

Post a Comment