VWE-2018-4670 Printable Version

https://www.vaultwiki.org/pages/Book/Documentation/VWE-2018-4670
This page is a chapter in Info Known Vulnerabilities

This page has been seen 323,076 times.

- Created by
  pegasus
  on October 8, 2018

Common Name None
VWE-ID VWE-2018-4670
Related Report None
Severity HIGH
Exploit Difficulty EASY
Platform XenForo
Description Denial of Service amplification. Due to a lack of limits on template usage, using a specially crafted wiki page and wiki templates, it may be possible to execute many thousands of queries on the wiki page, which may cause MySQL or PHP to become unresponsive under load.

Discovered September 26, 2018
Resolved October 8, 2018
Patches Available 4.0.24 Patch Level 1
4.0.23 Patch Level 3
4.0.22 Patch Level 5
4.0.21 Patch Level 6
4.0.20 Patch Level 9
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.

Notes
The fix places hard limits on the number of templates, including templates within other templates, that each page is allowed to render. Although amplification is only possible on XenForo platforms, the patch also makes changes to vBulletin-related code.

Common Name	None
VWE-ID	VWE-2018-4670
Related Report	None
Severity	HIGH
Exploit Difficulty	EASY
Platform	XenForo
Description	Denial of Service amplification. Due to a lack of limits on template usage, using a specially crafted wiki page and wiki templates, it may be possible to execute many thousands of queries on the wiki page, which may cause MySQL or PHP to become unresponsive under load.
Discovered	September 26, 2018
Resolved	October 8, 2018
Patches Available	4.0.24 Patch Level 1 4.0.23 Patch Level 3 4.0.22 Patch Level 5 4.0.21 Patch Level 6 4.0.20 Patch Level 9