VWE-2016-3063
Return to current revision
Current Revision
February 16, 2017, 2:20 PM
General Differences
made the following changes
- removed the title prefix 'XSS'
- changed the title from 'VerQuatch Vulnerability' to 'VWE-2016-3063'
Differences in Content
-
[template]Vulnerability
| cve=
| aka=VerQuatch Vulnerability
| severity=High
| difficulty=Easy
| description=Local File Inclusion. In PHP < 5.3.3, also Remote Code Execution.
| discover-date=November 14, 2016
| patch-date=November 15, 2016
| patches=4.0.15 Patch Level 1
4.0.14 Patch Level 4
4.0.13 Patch Level 4
4.0.12 Patch Level 5
4.0.11 Patch Level 5
4.0.10 Patch Level 6
4.0.9 Patch Level 6
4.0.8 Patch Level 8
| workaround=It is not possible to workaround this vulnerability. A successful exploit is still possible even while VaultWiki is disabled in your site's Add-On/Product Manager.
[/template]
[h=3]Notes[/h]
This vulnerability allowed attackers to potentially read the contents of any file that was readable by your PHP user. After patching, please ensure that any other sensitive data that may be stored on your file system is secure. Some example measures include:
[list][*]Change the MySQL password for your installation.
[*]If using vBulletin, and your forum is configured to cache the datastore as files (see [i]includes/config.php[/i]), then change the SMTP password for your forum's SMTP sender address.
[*]If your site uses SSL, regenerate your private key and certificates.[/list]