SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin 'misc.php' Lets Remote Users Injection PHP Code via the 'template' Parameter
SecurityTracker Alert ID:  1013261
SecurityTracker URL:  http://securitytracker.com/id/1013261
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 22 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0.6 and prior versions
Description:   A vulnerability was reported in vBulletin in the processing of template names. A remote user can execute PHP commands in certain cases.

If the 'Add Template Name in HTML Comments' option is enabled (which is not the default configuration and is not recommended by the vendor for use in a production environment), a remote user can submit PHP code in the 'template' parameter in 'misc.php'.

A demonstration exploit URL is provided:

http://[target]/misc.php?do=page&template={${phpinfo()}}

The vendor was notified on February 18, 2005.

pokley from SCAN Associates reported this vulnerability.

Impact:   A remote user can execute PHP commands on the target system with the privileges of the web service.
Solution:   The vendor has issued a fixed version.

The report indicates that, as a workaround, you can disable the "Add Template Name in HTML Comments" option.

Vendor URL:  www.vbulletin.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] : [SCAN Associates Security Advisory] vbulletin


Summary: vbulletin 3.0.6 and below php code injection

Description
===========
vBulletin is a powerful, scalable and fully customizable forums package
for your web site. It has been written using the Web's quickest-growing
scripting language; PHP, and is complimented with a highly efficient and
ultra fast back-end database engine built using MySQL.

Details
=======
User may inject php code using "nested variable" into template name when
"Add Template Name in HTML Comments" is enable. This option is not enable
by default and is not recomended by vbulletin for production environment.
The problem occur when user may supply partial template name through
misc.php.


Workaround
==========
Disable "Add Template Name in HTML Comments" option.

Proof of concept
================
http://site.com/misc.php?do=page&template={${phpinfo()}}

Vendor Response
===============
17th February 2005 - Vulnerability found
18th February 2005 - vbulletin developer informed
19th February 2005 - vbulletin developer confirmed
20th February 2005 - Fix Available from vbulletin team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC