lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <opsmi1b0m8smddlu@sampah>
Date: Mon, 21 Feb 2005 11:01:02 +0800
From: pokley <pokleyzz@...n-associates.net>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection


Summary: vbulletin 3.0.6 and below php code injection

Description
===========
vBulletin is a powerful, scalable and fully customizable forums package  
for your web site. It has been written using the Web's quickest-growing  
scripting language; PHP, and is complimented with a highly efficient and  
ultra fast back-end database engine built using MySQL.

Details
=======
User may inject php code using "nested variable" into template name when   
"Add Template Name in HTML Comments" is enable. This option is not enable  
by default and is not recomended by vbulletin for production environment.  
The problem occur when user may supply partial template name through  
misc.php.


Workaround
==========
Disable "Add Template Name in HTML Comments" option.

Proof of concept
================
http://site.com/misc.php?do=page&template={${phpinfo()}}

Vendor Response
===============
17th February 2005 - Vulnerability found
18th February 2005 - vbulletin developer informed
19th February 2005 - vbulletin developer confirmed
20th February 2005 - Fix Available from vbulletin team


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ