Database error in vBulletin 4.1.2

Today I started to receive following error in one of my vbulletin 4.1.2 installation.

Database error in vBulletin 4.1.2:

Invalid SQL:

SELECT socialgroupcategory.title
FROM socialgroupcategory AS socialgroupcategory
WHERE socialgroupcategory.socialgroupcategoryid IN (-99) union select salt from user where userid=1 and row(1,1)>(select count(*),concat( (select user.salt) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) — /*);

MySQL Error : Duplicate entry ‘,Txyq_{0ENe+EAQMmpZxIh`QD=*L/#:1’ for key 1
Error Number : 1062
Request Date : Tuesday, November 22nd 2011 @ 07:03:45 PM
Error Date : Tuesday, November 22nd 2011 @ 07:03:45 PM
Script : http://www.domain.com/uk/search.php?do=process
Referrer :
IP Address : 213.252.161.158
Username : Unregistered
Classname : vB_Database_MySQLi
MySQL Version :

This is SQL injection which is very clear from the above message itself.
Problem is with the vBulletin version 4.1.2 which is vulnerable for SQL injection.

To fix this problem we have to upgrade v~Bulletin to the latest version.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *