cbcvebase.
CVE-2014-2023
published 2017-10-26

CVE-2014-2023: Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary…

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.15%
89.6th percentile
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 6.2.0 < 6.2.116.2.11
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk
tapatalktapatalk

Detection & IOCsextracted from sources · hover to see the quote

pathmobiquo/functions/unsubscribe_forum.php
pathmobiquo/functions/unsubscribe_topic.php
pathmobiquo.php
command-1 union %s and ( select sleep(%s) ) union select subscribeforumid from subscribeforum where 1=1 OR 1=1
command-1 union %s and ( select sleep(%s) ) union select subscribethreadid from subscribethread where 1=1 OR 1=1
commandreturn self.rpc.unsubscribe_forum("s_%s"%query)
commandreturn self.rpc.unsubscribe_topic("s_%s"%query)
  • Exploit targets the XML-RPC endpoint at mobiquo.php; monitor for XML-RPC POST requests to paths containing 'mobiquo' with method calls to 'unsubscribe_forum' or 'unsubscribe_topic' carrying parameters prefixed with 's_' followed by SQL injection payloads.
  • Blind time-based SQL injection is performed using 'select sleep(N)' inside UNION payloads; detect anomalous response latency on XML-RPC calls to the Tapatalk endpoint combined with SQL keywords (UNION, SELECT, sleep) in request bodies.
  • The exploit uses a mobile iPhone User-Agent string to blend in; correlate this UA with XML-RPC requests to mobiquo.php as a detection pivot.
  • The exploit probes for the string 'tapatalkDetect()' in page responses to fingerprint vulnerable installations before launching the SQL injection attack.
  • Attacker attempts to exfiltrate MySQL root password hash and the Tapatalk 'apikey' setting via blind SQLi; monitor database logs for queries against mysql.user and the 'setting' table with varname='apikey'.
  • ·Affected versions are Tapatalk plugin 4.9.0 and earlier, and 5.x through 5.2.1 for vBulletin; the exploit PoC is specifically written for the vBulletin 4.x variant.
  • ·The SQL injection is unauthenticated (no session required); the vulnerable parameters are passed directly into XML-RPC method arguments with no escaping, as noted by the exploit comment 'no escape, invalid_char="_"'.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv6.3MEDIUM
vendor_redhat8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.