From the exploit:if ($argc<2) { echo "USAGE:\n"; echo "~~~~~~\n"; echo "php {$argv[0]} [url] OPTIONS\n\n"; echo "[url] - target server where Vanilla is installed\n\n"; echo "OPTIONS:\n"; echo "-p=<prefix> - use specific prefix (default LUM_)\n"; echo "-id=<id> - use specific user id (default 1)\n"; echo "-c=<count> - benchmark()'s loop count (default 300000)\n"; echo "-v - verbose mode\n\n"; echo "tip:\n"; echo "use bigger number of <count> if server is slow\n\n"; echo "examples:\n"; echo "php {$argv[0]} http://site.com/vanilla/ -p=forum_ -id=2\n"; echo "php {$argv[0]} http://forum.site.com:8080/ -c=400000\n"; die; } /** * Software site: http://lussumo.com/ * * Script /ajax/sortcategories.php is supposed to be used by admin to sort * the categories. However it isnt protected from unathorized users. Besides, * it doesnt properly sanitize user's input data, so we can inject the SQL * code into the UPDATE query. Script /ajax/sortroles.php is also vulnerable. */
Both scripts ARE protected from unauthorized users: if (!$Context->Session->User->Permission('PERMISSION_SORT_CATEGORIES')) { die($Context->GetDefinition('ErrPermissionSortCategories')); }
Hey Dinoboff - I'm spamming you a bit in the hopes that you see one of these soon, but...
Earlier today I got access to the server and I took the Vanilla-1.1.4.zip file and put it on getvanilla.com.
I was just in the process of upgrading the community forum (which is a bit of a pain because of the restructuring of svn/trunk) and I noticed that the svn trunk still lists the version number as 1.1.3. Is that just a mistake?
I want to get this all wrapped up so I can start breathing easy again :/
Ant build the package with the correct number but I forgot to make it change the number in the svn. I will update the svn and fix the build file, but the packages are ok.