vBulletin announced on Wednesday that a security patch was available for the forum software, one that aims at fixing an SQL injection vulnerability.


The SQL injection risk was privately disclosed to them earlier this week by the members of the Romanian Security Team (RST). They found it while testing vBulletin 5.x for security issues in order to update their forum.

One of the security researchers that found the glitch, who goes by the online alias Nytro, told us that a potential attacker could gain access to the database containing the details of the administrators.

This would automatically offer the perp access to the administration panel and, from there, to other databases. Apart from login details and email addresses, some websites have databases with financial information, which would be a treasure trove for an intruder.

The current security patch addresses this vulnerability in vBulletin versions 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2. Patches for all these releases are available on this page and users are recommended to perform the update as soon as possible.

Nytro published a demo video of the exploit, injecting SQL and obtaining access to databases of both RST and vBulletin. The clip clearly shows the database name and version and the MySQL user, which is sufficient proof that details could be exfiltrated.

In the clip, RST said that it did not sell the exploit, although zero-days are generously rewarded by threat actors, the price amounting to thousands of dollars in some cases.

The exploit has not been published, but as soon as the freshly-released security fix is applied by more administrators, Nytro said they would present it to the public.

vBulletin moved very fast in addressing this glitch, as they actually came up with a solution to the problem a day after the issue had been reported, but delayed its release to the public in order to make sure that everything was okay.

In the past, Romanian Security Team found a cross-site scripting (XSS) vulnerability in vBulletin 5.1.1 Alpha 9, which is identified by CVE-2014-3135; it permitted injecting arbitrary web script or HTML code.

A post from on the company forum Wayne Luke, technical support lead at vBulletin, says that customers of the cloud service do not need to bother with the patch because it is applied by the maintenance team.

The representative also says that the latest security fix is to be incorporated in the next revision of vBulletin 5.1.3 Alpha. Administrators are warned that the alpha release is not considered suitable for production or live servers.
Kepler Reviewed by Kepler on . SQL Injection Risk in vBulletin Receives Prompt Patch http://i1-news.softpedia-static.com/images/news-700/SQL-Injection-Risk-in-vBulletin-Receives-Prompt-Patch.jpg vBulletin announced on Wednesday that a security patch was available for the forum software, one that aims at fixing an SQL injection vulnerability. The SQL injection risk was privately disclosed to them earlier this week by the members of the Romanian Security Team (RST). They found it while testing vBulletin 5.x for security issues in order to update their forum. Rating: 5