View Single Post
  #3  
Old 28 Sep 2019, 20:04
gambler726 gambler726 is offline
 
Join Date: May 2016
Thanks for the quick response.

Originally Posted by Dave View Post
If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?
It was a list of the actual tables with my specific prefixes plus other tables I created.

Originally Posted by Dave View Post
As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.
I've gotten most, if not all, of my plugins from VB.org, and I use a lot of them. Turning them off, as I have done, makes it look like a different forum. I assume disabling them does not prevent the vulnerabilities?

Here is the email thread - everything is from the emailer. I may have made a mistake but I did reply once with a "thanks, I will look into it"


On Fri, Sep 27, 2019 at 12:12 AM
Hi
I have found SQL injection vulnerability on website.
How i can report it?


On Fri, Sep 27, 2019 at 12:16 AM
its possible to retrieve data base information.

On Fri, Sep 27, 2019 at 12:27 AM
[Listed the tables]


Sent: Thursday, September 26, 2019 4:31 PM

all users information are affected now.
I am looking for admin for bug report.

On Fri, Sep 27, 2019 at 7:13 AM
Will I get compensated for my help?

There is impact. of vulnerability. There is potential attacker can take users information and more...
Reply With Quote