Originally Posted by Dolby
When did you last change your email address?
I'm sorry this happened to you again.
Just yesterday I had found a potential hole into our database where when you updated an AddOn the cached username could allow an injection based upon the users name. So far it looks like that was the only field that wasnt wrapped with mysql_real_escape_string() due to the fact it was getting the name from vbulletin and I wasnt thinking. I'm investigating the logs to see if anything was taken advantage of there.
We are upgrading to new servers soon (already upgraded our addon file server). I will again audit my mySQL queries and change all passwords (As I do with all moves).
|
I'm sure you've read this but since you mention vBulletin I thought this might be related:
http://www.h-online.com/open/news/it...n-1044462.html