Mephisteus Personal Sticky Threads vBulletin Addon未授权访问漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182919 漏洞类型 信息泄露
发布时间 2009-04-27 更新时间 2009-04-29
CVE编号 CVE-2008-6754 CNNVD-ID CNNVD-200904-486
漏洞平台 N/A CVSS评分 4.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2009040240
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-486
|漏洞详情
vBulletinPersonalStickyThreadsaddon1.0.3c版本允许远程认证用户通过栓牢一个个人sticky,读取任意thread的标题、作者以及页。
|漏洞EXP


Personal Sticky Threads is an addon for vbulletin that allows users to create personal stickies. There appears to be a small problem when toggling the personal sticky on a thread you do not have persmission to access.

If I am denied persmission to:

http://forums.somesite.com/showthread.php?t=7

Toggling personal stickies for the thread to on I am able to view the thread title, author, and pages:

http://forums.somesite.com/misc.php?do=togglestick&thread=47

This does not allow me access to the thread but does display information not intended to be viewed by me :)
|参考资料

来源:BID
名称:33017
链接:http://www.securityfocus.com/bid/33017
来源:BUGTRAQ
名称:20081223PersonalStickyThreadsv1.0.3cvbulletinAdd-onproblem
链接:http://www.securityfocus.com/archive/1/archive/1/499562/100/0/threaded
来源:SECUNIA
名称:33342
链接:http://secunia.com/advisories/33342
来源:OSVDB
名称:51205
链接:http://osvdb.org/51205