Nytro Posted July 15, 2014 Report Posted July 15, 2014 Author: Nytro @ Romanian Security Team All details will be available after a fix from vBulletin. 4 1 Quote
AlStar Posted July 15, 2014 Report Posted July 15, 2014 Mi-a placut finalu: "Si daca nu esti sigur, na demo pe boardu oficial. BAM! " Felicitari! Quote
Nytro Posted July 15, 2014 Author Report Posted July 15, 2014 Thanks. Postasem si pe forumul lor, dar au sters postul. Quote
io.kent Posted July 15, 2014 Report Posted July 15, 2014 Jos palaria! Au sters postul din cauza ca nu accepta realitatea, foarte frumos felicitari Nytro! Quote
1337 Posted July 15, 2014 Report Posted July 15, 2014 Felicitari, mai bine il pastrai privat luand in considerare faptul ca sunt niste cacanari. Quote
.Breacker Posted July 15, 2014 Report Posted July 15, 2014 Un ShowOff de calitate .Du-te si pe la NASA putin,fa-le o vizita . Quote
Nytro Posted July 15, 2014 Author Report Posted July 15, 2014 Thanks. Astept un fix de la vBulletin, un realease care sa repare problema, mai astept putin sa isi mai faca lumea update apoi public exploit-ul. Quote
nein Posted July 15, 2014 Report Posted July 15, 2014 90% din toate forumurile au vBulletin si 5.1.2Felicitari ! Quote
Vlachs Posted July 15, 2014 Report Posted July 15, 2014 Felicitari dar sincer lipseste ceva...winamp-ul cu Denisa Quote
kumudam Posted July 16, 2014 Report Posted July 16, 2014 din cate imi dau seama este un blind in POST ...sau inca e secret? Quote
Nytro Posted July 16, 2014 Author Report Posted July 16, 2014 Nu e blind, dar l-am facut dimineata la 7 inainte sa plec la munca si nu am avut timp sa il fac altfel.Fac un request pentru un caracter (SUBSTR). Se putea si altfel, dar era un query urat si nu am avut timp sa ma complic. Quote
Nytro Posted July 16, 2014 Author Report Posted July 16, 2014 Softpedia: vBulletin Exploitable Through SQL Injection Quote
Nytro Posted July 17, 2014 Author Report Posted July 17, 2014 Au lansat patch-ul: Security Patch Release for vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2 - vBulletin Community Forum Quote
askwrite Posted July 17, 2014 Report Posted July 17, 2014 Felicitari.Acum ca e fixat, ni-l poti oferi? Quote
Nytro Posted July 17, 2014 Author Report Posted July 17, 2014 Da. Peste cateva zile. Sa aiba lumea timp sa isi faca lumea update. Quote
robertutzu Posted July 17, 2014 Report Posted July 17, 2014 dat fiind ca sunt multi cu vbulletin neplatit pana vor lua/aparea patch-ul pentru toti va fain disclosure-ul Quote
Usr6 Posted July 17, 2014 Report Posted July 17, 2014 Sucuri"This vulnerability was discovered by the Romanian Security Team (RST), so it could already be used in the wild on 0-day attacks. If you can’t patch vBulletin, we recommend blocking access to the memberlist page in the mean time." Quote
pr0fw3b Posted July 17, 2014 Report Posted July 17, 2014 Sunt curios sa vad exploit-ul dar in rest imi place acest showoff .Un adevarat showoff este aceasta. Felicitari nytro . Quote
Nytro Posted July 17, 2014 Author Report Posted July 17, 2014 Thanks.ComputerWorld: Emergency vBulletin patch fixes SQL injection vulnerability - Computerworld Quote
yo20063 Posted July 17, 2014 Report Posted July 17, 2014 La mai multe! Beau o bere pentru asta....chiar acum! Quote
malsploit Posted July 17, 2014 Report Posted July 17, 2014 Era frumos sa zica si aiai de la vBulletin un multumesc ceva. Faceai ceva victime cu el. Quote
sensi Posted July 17, 2014 Report Posted July 17, 2014 Chiar daca cei de la vbulletin nu merita raportul, trebuie apreciat gestul tau. Felicitari!// Cat a timp durat pana ai gasit 0day-ul? Plt, nu ai zis nimanui ca mai e vbulletin 5 pe server, ne bagam si noi. Quote
Nytro Posted July 29, 2014 Author Report Posted July 29, 2014 CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5102 Quote
