vBulletin includes/init.php Unspecified Vulnerability

high Nessus Plugin ID 16203

Synopsis

The remote web server contains a PHP script that is affected by an unspecified vulnerability.

Description

According to its banner, the remote version of vBulletin is vulnerable to an unspecified issue. It is reported that versions 3.0.0 through to 3.0.4 are prone to a security flaw in 'includes/init.php'.
Successful exploitation requires that PHP's 'register_globals' setting be enabled.

Solution

Upgrade to vBulletin 3.0.5 or later.

See Also

https://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/128607-vbulletin-3-0-5-released?t=125480

Plugin Details

Severity: High

ID: 16203

File Name: vbulletin_init_php_flaw.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 1/18/2005

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:vbulletin:vbulletin

Required KB Items: www/vBulletin

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/7/2005

Reference Information

BID: 12299