Mediocrates
01-15-2004, 06:14 AM
I'll post them as I find them
MODERATE: Multiple Vendor SQL Injection Vulnerabilities
Affected:
PostCalendar online events calendar, version 4.0.0
vBulletin forum software, version 2.3.x prior to 2.3.4
Phorum message-board software, version 3.4.5 and prior
Description: The following web-based software packages reportedly
contain SQL injection vulnerabilities: PostCalendar, vBulletin and
Phorum. These flaws can be exploited to manipulate SQL queries issued
against the backend databases, potentially leading to compromise of the
affected application. The technical details required for exploitation
have been posted.
Status: In all cases, the relevant vendor has confirmed the flaw and
fixed the problem in a new release. The following versions contain the
fixes: PostCalendar version 4.0.1, vBulletin version 2.3.4, and Phorum
version 3.4.6.
Council Site Actions: Only one reporting council site is using the
affected software (Phorum). They plan to deploy the fixed versions
during their next regularly scheduled system update process.
References:
PostCalendar online events calendar
Security Advisory by Andreas Krapohl (discovered the flaw)
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2537
Project Homepage
http://noc.postnuke.com/projects/postcalendar
SecurityFocus BID
http://www.securityfocus.com/bid/9372
vBulletin forum software
Posting by Qianwei Hu (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0027.html
Vendor Homepage
http://www.vbulletin.com/
SecurityFocus BID
http://www.securityfocus.com/bid/9360
Phorum message-board software
Posting by Calum Power (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0029.html
Vendor Homepage
http://www.phorum.org
SecurityFocus BID
http://www.securityfocus.com/bid/9363
MODERATE: Multiple Vendor SQL Injection Vulnerabilities
Affected:
PostCalendar online events calendar, version 4.0.0
vBulletin forum software, version 2.3.x prior to 2.3.4
Phorum message-board software, version 3.4.5 and prior
Description: The following web-based software packages reportedly
contain SQL injection vulnerabilities: PostCalendar, vBulletin and
Phorum. These flaws can be exploited to manipulate SQL queries issued
against the backend databases, potentially leading to compromise of the
affected application. The technical details required for exploitation
have been posted.
Status: In all cases, the relevant vendor has confirmed the flaw and
fixed the problem in a new release. The following versions contain the
fixes: PostCalendar version 4.0.1, vBulletin version 2.3.4, and Phorum
version 3.4.6.
Council Site Actions: Only one reporting council site is using the
affected software (Phorum). They plan to deploy the fixed versions
during their next regularly scheduled system update process.
References:
PostCalendar online events calendar
Security Advisory by Andreas Krapohl (discovered the flaw)
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2537
Project Homepage
http://noc.postnuke.com/projects/postcalendar
SecurityFocus BID
http://www.securityfocus.com/bid/9372
vBulletin forum software
Posting by Qianwei Hu (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0027.html
Vendor Homepage
http://www.vbulletin.com/
SecurityFocus BID
http://www.securityfocus.com/bid/9360
Phorum message-board software
Posting by Calum Power (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0029.html
Vendor Homepage
http://www.phorum.org
SecurityFocus BID
http://www.securityfocus.com/bid/9363