El 07/01/14 22:51, Jim Henderson escribió:
If he were, he'd have told vBulletin of the exploit. The exploit is described as a "private exploit," which to me says he's not disclosed it.
It really does not matter much, the attacker was able to go way too far in the first place. Yes..the vector is the forum software, why the payload ran without resistance all the way till gaining a shell as the apache user is the question that need answer on this side of the road. The actual bug in this kind of PHP bulletin boards should be from trivial to moderately easy to find and fix. Since this is a commercial app, that's up to the vendor to figure out. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org